In March 2025, a sophisticated cyber-espionage campaign was identified, targeting senior members of the World Uyghur Congress (WUC) residing in exile. This operation utilized a compromised version of UyghurEdit++, an open-source word processing and spell-check tool designed for the Uyghur language, to infiltrate Windows systems and conduct surveillance.
The attack commenced with spear-phishing emails that impersonated trusted contacts from partner organizations. These emails contained links to Google Drive, leading recipients to download a password-protected RAR archive. Within this archive was a malicious variant of UyghurEdit++, which, upon execution, profiled the infected system and transmitted the data to an external server. The malware, written in C++, was also capable of downloading additional malicious plugins and executing commands through these components.
The Citizen Lab, a digital rights research laboratory at the University of Toronto, initiated an investigation after the targets received Google notifications on March 5, 2025, alerting them to government-backed attacks on their accounts. Their analysis revealed that the malware delivery was meticulously tailored to reach the intended victims, with technical evidence indicating that activities related to this campaign began as early as May 2024.
This incident is part of a broader pattern of cyber-attacks aimed at the Uyghur diaspora, reflecting a strategy of digital transnational repression. The attackers demonstrated a deep understanding of the target community, suggesting alignment with the Chinese government’s objectives. China’s extensive campaign of transnational repression targets Uyghurs based on their ethnic identity and activities, aiming to control their connections to their homeland, monitor the flow of information regarding human rights conditions in the region, and influence global perceptions of Chinese policies in Xinjiang.
Historically, similar cyber-attacks have been documented. In December 2024, a threat group known as Earth Minotaur employed the MOONSHINE exploit kit and the DarkNimbus backdoor to target Tibetan and Uyghur communities. This campaign exploited vulnerabilities in Chromium-based browsers to deliver malware capable of extensive data exfiltration, including device metadata, screenshots, and communication logs. The attackers used social engineering tactics, sending messages via instant messaging apps to lure victims into clicking malicious links disguised as legitimate content.
In March 2021, Facebook disrupted a cyber-espionage operation by a Chinese state-sponsored group known as Evil Eye, which targeted Uyghur activists, journalists, and dissidents living abroad. The attackers used fake Facebook accounts to distribute links leading to malicious websites, compromising both iOS and Android devices with spyware designed for surveillance. The malware was linked to Chinese companies Beijing Best United Technology Co., Ltd. and Dalian 9Rush Technology Co., Ltd., indicating a complex network of vendors supporting these operations.
Earlier, in February 2013, the Chinese government was implicated in malware attacks against the World Uyghur Congress. These attacks utilized spear-phishing emails with malicious Word documents exploiting vulnerabilities in Microsoft Word for OS X. The embedded malware, known as TinySHell, provided attackers with remote access to compromised systems, enabling long-term monitoring and control.
The consistent targeting of Uyghur activists through advanced cyber-espionage campaigns underscores the persistent threats faced by this community. These operations not only aim to monitor and suppress Uyghur voices but also to disrupt their advocacy efforts on a global scale. The use of tailored malware, social engineering, and exploitation of trusted platforms highlights the need for heightened cybersecurity awareness and protective measures among vulnerable groups.
As digital surveillance tactics continue to evolve, it is imperative for human rights organizations and activists to remain vigilant. Implementing robust security protocols, conducting regular system updates, and fostering awareness about phishing tactics are crucial steps in mitigating the risks posed by such targeted cyber-attacks.
