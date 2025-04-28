Several representatives of exiled Uyghurs have been targeted by a pervasive spear phishing campaign aimed at deploying surveillance malware, researchers at the Citizen Lab have found.

In March 2025, senior World Uyghur Congress (WUC) members received Google notifications warning that their accounts had been the subject of government-backed attacks.

The WUC is an international organization headquartered in Munich. Its mission is to represent the collective interests of the Uyghur people both inside and outside of Xinjiang, the Uyghur autonomous region in China.

Forensic analysis by The Citizen Lab revealed the spear phishing campaign was distributed through a trojanized version of a legitimate open-source word processing and spell-check tool designed for the Uyghur language. Ultimately the campaign would deliver Windows-based malware that enabled remote surveillance.

While the malware itself was not particularly sophisticated, the attackers demonstrated a high level of understanding of the targeted community and invested significant effort into making the malicious delivery appear legitimate.

Notably, the malware was initially developed by a trusted member of the community known to members of WUC, making the malware delivery highly customized and targeted.

The technical artifacts also indicated that the attackers began preparing the campaign as early as May 2024, suggesting a well-planned and executed operation.

The Citizen Lab researchers assessed that the attackers align with the Chinese government.

Kill Chain: Spear Phishing Emails and Malicious Backdoor

The malicious email messages sent to senior members of the WUC impersonated a trusted contact at a partner organization and contained Google Drive links that, if clicked, would download a password protected .rar archive file.