info@thehackernews.com (The@The Hacker News
//
A new report from Citizen Lab has uncovered a spearphishing campaign targeting senior members of the World Uyghur Congress (WUC) living in exile. The attackers utilized a trojanized version of UyghurEditPP, a legitimate open-source text editor designed to support the Uyghur language, to deliver Windows-based malware. This campaign highlights the concerning trend of digital transnational repression, where software intended to empower repressed communities is instead weaponized against them. The method involved impersonating a known contact from a partner organization of the WUC to deliver a Google Drive link containing the malicious file.
Once the infected UyghurEditPP was executed, a hidden backdoor would silently gather system information, including the machine name, username, IP address, and operating system version. This data was then transmitted to a remote command-and-control (C2) server, allowing the attackers to perform various malicious actions, such as downloading files or uploading additional malicious plugins. Citizen Lab researchers noted that the attackers displayed a deep understanding of the target community, using culturally significant Uyghur and Turkic language terms in the C2 infrastructure to avoid raising suspicion.
Researchers believe that state-aligned actors are behind this campaign, reflecting a broader pattern of Chinese government actors targeting the Uyghur community. While the malware itself wasn't particularly advanced, the campaign showcased a high level of social engineering. The discovery emphasizes the ongoing threats faced by the Uyghur diaspora and the need for increased vigilance against digital surveillance and hacking attempts. This incident adds to the growing evidence of digital transnational repression, where governments use digital technologies to surveil, intimidate, and silence exiled communities.
Recommended read:
References :
- The Citizen Lab: Weaponized Words: Uyghur Language Software Hijacked to Deliver Malware
- securityonline.info: Weaponized Uyghur Language Software: Citizen Lab Uncovers Targeted Malware Campaign
- techcrunch.com: Citizen Lab says exiled Uyghur leaders targeted with Windows spyware
- securityonline.info: Researchers at Citizen Lab have exposed a spearphishing campaign targeting senior members of the
- The Hacker News: Malware Attack Targets World Uyghur Congress Leaders via Trojanized UyghurEdit++ Tool
- thecyberexpress.com: Text Editor Used in Targeted Uyghur Spying
- The Register - Software: Open source text editor poisoned with malware to target Uyghur users
- The Hacker News: Malware Attack Targets World Uyghur Congress Leaders via Trojanized UyghurEdit++ Tool
- Security Risk Advisors: State-aligned actors trojanized UyghurEdit++ to target diaspora via phishing. Backdoor exfiltrates system data and downloads plugins. #Uyghur #ThreatIntel
- citizenlab.ca: 🚩 Trojanized UyghurEdit++ Text Editor Used to Target Uyghur Diaspora With Windows Surveillance Malware
- The Cyber Express: Trojanized Text Editor Software Used in Targeted Uyghur Spy Campaign
- hackread.com: China-linked hackers targeted Uyghur activists using a Trojanized UyghurEditPP app in a spear-phishing campaign, Citizen Lab researchers reveal.…
- Security Risk Advisors: State-aligned actors trojanized UyghurEdit++ to target diaspora via phishing. Backdoor exfiltrates system data and downloads plugins. #Uyghur #ThreatIntel
- www.scworld.com: Uyghur leaders subjected to malware attack
@cloud.google.com
//
Google's Threat Intelligence Group (GTIG) has released its annual review of zero-day exploits, revealing a concerning shift towards enterprise-targeted attacks in 2024. The report highlights a persistent rise in zero-day exploitation, with 75 vulnerabilities actively exploited in the wild. While this number represents a decrease from the 98 exploits observed in 2023, it remains higher than the 63 recorded in 2022, indicating a continued upward trend. The GTIG's analysis divides these vulnerabilities into two main categories: end-user platforms and products, and enterprise-focused technologies such as security software and appliances.
Of the 75 zero-day exploits tracked in 2024, a significant 44% targeted enterprise products. This indicates a strategic shift from attackers who are increasingly recognizing the value in compromising systems that house sensitive data. In contrast, the exploitation of browsers and mobile devices has decreased, falling by about a third and half, respectively. This shift towards enterprise technologies suggests that attackers are focusing on more lucrative targets that offer greater potential rewards. The GTIG report also notes that exploit chains made up of multiple zero-day vulnerabilities continue to be almost exclusively used to target mobile devices.
Government-backed hackers and commercial surveillance vendors (CSVs) are the primary actors behind many of these exploits. The GTIG report indicates that governments like China and North Korea, along with spyware makers, are responsible for the most recorded zero-days in 2024. Specifically, at least 23 zero-day exploits were linked to government-backed hackers, with 10 directly attributed to governments including five linked to China and five to North Korea. Additionally, spyware makers and surveillance enablers were responsible for eight exploits, suggesting that the industry will continue to grow as long as government customers continue to request and pay for these services.
Recommended read:
References :
- Threat Intelligence: Hello 0-Days, My Old Friend: A 2024 Zero-Day Exploitation Analysis
- securityaffairs.com: Google tracked 75 zero-day flaws exploited in 2024, down from 98 in 2023, according to its Threat Intelligence Group’s latest analysis.
- techcrunch.com: Governments like China and North Korea, along with spyware makers, used the most recorded zero-days in 2024.
- The Hacker News: Google Reports 75 Zero-Days Exploited in 2024 — 44% Targeted Enterprise Security Products
- CyberInsider: The Google Threat Intelligence Group (GTIG) has published its annual review of zero-day exploits for 2024, revealing a gradual but persistent rise in zero-day exploitation and a concerning shift towards enterprise-targeted attacks.
- The Register - Security: Enterprise tech dominates zero-day exploits with no signs of slowdown
- cyberinsider.com: Google Logs 75 Zero-Days in 2024, Enterprise Attacks at All-Time High
- securityonline.info: Google Reports 75 Zero-Days Exploited in 2024 — 44% Targeted Enterprise Security Products
- BleepingComputer: Google's Threat Intelligence Group (GTIG) says attackers exploited 75 zero-day vulnerabilities in the wild last year, over 50% of which were linked to spyware attacks.
- www.techradar.com: Of all the zero-days abused in 2024, the majority were used in state-sponsored attacks by China and North Korea.
- thecyberexpress.com: Google's Threat Intelligence Group (GTIG) released its annual analysis of zero-day exploitation, detailing how 2024 saw attackers increasingly target enterprise software and infrastructure over traditional consumer platforms like browsers and mobile devices.
- cloud.google.com: Threat actors exploited 75 zero-days last year, with 33 of those targeting enterprise products
- socradar.io: Google’s 2024 Zero-Day Report: Key Trends, Targets, and Exploits In late April, Google’s Threat Intelligence Group (GTIG) published its annual report on zero-day exploitation, offering a detailed account of in-the-wild attacks observed throughout 2024. The report draws on GTIG’s original breach investigations, technical analysis, and insights from trusted open-source reporting. GTIG tracked 75 zero-day vulnerabilities
- Security Risk Advisors: Zero-Day Exploitation Continues to Grow with Shifting Focus Toward Enterprise Security Products
info@thehackernews.com (The@The Hacker News
//
Russian military personnel are being targeted by a new Android spyware campaign that disguises itself as a legitimate Alpine Quest mapping application. The spyware, dubbed Android.Spy.1292.origin, is distributed through unofficial channels, including Russian Android app catalogs and a fake Telegram channel promoting a pirated "Pro" version of the app. Once installed, the trojanized app functions like the original Alpine Quest, a popular navigation tool used by outdoor enthusiasts and also relied upon by Russian soldiers in military zones due to its offline capabilities. This allows the malware to remain undetected while it secretly harvests sensitive data from the compromised device.
The spyware collects a wide range of information, including the user's phone number, contact lists, geolocation data, and a list of files stored on the device. This data is then sent to a remote command-and-control server and a Telegram bot controlled by the attackers. The attackers are particularly interested in retrieving confidential documents shared via messaging apps like Telegram and WhatsApp. The malware also targets a specific file called "locLog" created by Alpine Quest, which logs detailed user movement data. By stealing this file, the attackers can reconstruct the victim's movements over time, enabling surveillance.
Security researchers at Doctor Web discovered the campaign and noted the modular design of the spyware, which allows attackers to expand its capabilities by downloading additional modules. This can enable the exfiltration of specific content and execute a wider spectrum of malicious tasks. The attacks mirror tactics previously deployed by Russian groups against Ukrainian soldiers, seeking to access data from military apps and encrypted messaging apps. Experts advise downloading Android apps only from trusted app marketplaces and avoiding downloading "free" paid versions of software from dubious sources to mitigate the risk posed by such threats.
Recommended read:
References :
- hackread.com: Fake Alpine Quest Mapping App Spotted Spying on Russian Military
- Risky.Biz: Risky Bulletin: Russian military personnel targeted with Android spyware reminiscent of Russia's own tactics
- Risky Business Media: Risky Bulletin: Russian military personnel targeted with Android spyware
- The Hacker News: Android Spyware Disguised as Alpine Quest App Targets Russian Military Devices
- bsky.app: Podcast: risky.biz/RBNEWS415/ Newsletter: https://news.risky.biz/risky-bulletin-russian-military-personnel-targeted-with-android-spyware-reminiscent-of-russias-own-tactics/ -Russian military personnel targeted with Android spyware reminiscent of Russia's own tactics -Hegseth involved in 2nd Signalgate scandal -two CISA Secure by Designs execs leave -Asian cyber scam call centers spread worldwide
- The Hacker News: Android Spyware Disguised as Alpine Quest App Targets Russian Military Devices
- BleepingComputer: Russian army targeted by new Android malware hidden in mapping app
- github.com: Details on trojanized Alpine Quest app version
- The Register - Security: Booby-trapped Alpine Quest Android app geolocates Russian soldiers
- www.scworld.com: Spyware-laced app targeted Russian military phones
- securityaffairs.com: Android spyware hidden in mapping software targets Russian soldiers
- The DefendOps Diaries: Espionage Threats: Android.Spy.1292.origin and Military Cybersecurity
@NCSC News Feed
//
A coalition of governments, including the UK, US, Australia, Canada, Germany, and New Zealand, has issued an alert regarding the use of BADBAZAAR and MOONSHINE spyware. These sophisticated tools are being used to target civil society groups and ethnic minorities, specifically Uyghur, Taiwanese, and Tibetan communities. The spyware is embedded within seemingly legitimate Android applications, effectively acting as Trojan malware to gain unauthorized access to sensitive data. These malicious apps are designed to appear harmless, often mimicking popular apps or catering to specific interests of the targeted groups.
These spyware families are capable of accessing a wide range of information on infected devices, including location data, microphone and camera feeds, messages, photos, and other stored files. The UK's National Cyber Security Centre (NCSC) has stated that the targeted individuals are those connected to topics considered a threat to the Chinese state, such as Taiwanese independence, Tibetan rights, Uyghur Muslims, democracy advocacy, and the Falun Gong spiritual movement. The indiscriminate nature of the spyware's spread raises concerns that infections may extend beyond the intended targets, potentially affecting a broader range of users.
The advisory includes a list of over 100 malicious Android apps that have been identified as carrying the BADBAZAAR and MOONSHINE spyware. These apps often masquerade as Muslim and Buddhist prayer apps, chat applications like Signal, Telegram, and WhatsApp, or utility apps like Adobe Acrobat PDF reader. To mitigate the risk, individuals are urged to download apps only from official app stores, keep their devices and apps up to date, avoid rooting or jailbreaking their devices, and carefully review app permissions before installation. The NCSC and its partners continue to monitor the activities of these malicious cyber actors and provide guidance to help individuals protect themselves from these evolving threats.
Recommended read:
References :
- thecyberexpress.com: Global Cybersecurity Agencies Warn of Spyware Targeting Uyghur, Tibetan, and Taiwanese Communities
- ComputerWeekly.com: NCSC issues warning over Chinese Moonshine and BadBazaar spyware
- NCSC News Feed: BADBAZAAR and MOONSHINE: Spyware targeting Uyghur, Taiwanese and Tibetan groups and civil society actors
- Danny Palmer: The NCSC has put out a warning on how malicious cyber actors are using two forms of spyware - dubbed MOONSHINE and BADBAZAAR - hiding in otherwise legit mobile apps to target individuals in Uyghur, Tibetan and Taiwanese communities as well as civil society groups.
- Zack Whittaker: A coalition of global governments have identified dozens of Android apps that are bundled with the prolific BadBazaar and Moonshine spyware strains, which they say are targeting civil society who oppose China's state interests.
- techcrunch.com: Governments identify dozens of Android apps bundled with spyware
- Threats | CyberScoop: BadBazaar and Moonshine malware targets Taiwanese, Tibetan and Uyghur groups, U.K. warns
- techcrunch.com: Governments warn of BadBazaar and Moonshine spyware, MSFT issued fixes for at least 121 flaws, Scattered Spider persists after arrests, UK probes suicide forum, Hackers abuse SourceForge to distribute malware, Dutch gov't to screen researchers and students for espionage risks, much more
- NCSC News Feed: The NCSC has put out a warning on how malicious cyber actors are using two forms of spyware - dubbed MOONSHINE and BADBAZAAR - hiding in otherwise legit mobile apps to target individuals in Uyghur, Tibetan and Taiwanese communities as well as civil society groups.
- securityonline.info: Spyware Alert: BADBAZAAR and MOONSHINE Target Civil Society and Ethnic Groups
- cyberscoop.com: BadBazaar and Moonshine malware targets Taiwanese, Tibetan and Uyghur groups, U.K. warns
- Tenable Blog: Tenable Blog on Mobile Spyware Attacks
- cyberinsider.com: CyberInsider article on Western intelligence agencies exposing Chinese spyware
Alex Lekander@CyberInsider
//
Amnesty International's Security Lab has uncovered evidence that two investigative journalists from the Serbia-based Balkan Investigative Reporting Network (BIRN) were targeted with NSO Group’s Pegasus spyware in February 2025. This marks the third time in two years that Amnesty International has found Pegasus being used against civil society members in Serbia, building upon previous findings detailed in their December 2024 report, "A Digital Prison." The journalists received suspicious text messages, and research confirmed the links led to a domain previously identified as part of NSO Group's infrastructure.
These latest findings reinforce concerns about Serbian authorities abusing invasive spyware to target journalists, activists, and other members of civil society. NSO Group responded to Amnesty International's findings by stating they cannot comment on specific customers or disclose technical information, while reiterating their commitment to respecting human rights and upholding the UN Guiding Principles on Business and Human Rights. Despite this commitment, security researchers are increasingly able to detect Pegasus attacks, suggesting challenges for NSO Group in maintaining operational security and concealing their activities.
Recommended read:
References :
- securitylab.amnesty.org: Journalists targeted with Pegasus spyware - Amnesty International Security Lab
- CyberInsider: Viber Messenger Abused for Delivering Pegasus Spyware on Targets
- thecyberexpress.com: Investigative Journalists in Serbia Hit by Advanced Spyware Attack
- techcrunch.com: Again and again, NSO Group’s customers keep getting their spyware operations caught
- infosec.exchange: NEW: Despite its lofty promises of invisibility, NSO Group customers keep getting their spyware operations against journalists and dissidents caught. “NSO has a basic problem: they are not as good at hiding as their customers think,” said John Scott-Railton, who has investigated spyware for 10+ years. This week, it was the turn of the Serbian government, who allegedly targeted two journalists with NSO Group's spyware Pegasus, according to Amnesty International.
- PrivacyDigest: Again and again, Group’s customers keep getting their operations caught | TechCrunch On Thursday, published a new report detailing attempted against two , allegedly carried out with NSO Group’s spyware .
- ESET Research: NEW: Despite its lofty promises of invisibility, NSO Group customers keep getting their spyware operations against journalists and dissidents caught. “NSO has a basic problem: they are not as good at hiding as their customers think,� said John Scott-Railton, who has investigated spyware for 10+ years. This week, it was the turn of the Serbian government, who allegedly targeted two journalists with NSO Group's spyware Pegasus, according to Amnesty International.
- The420.in: The murky world of cyber surveillance has once again been thrust into the spotlight as Amnesty International uncovered an attempt to hack two Serbian journalists using Pegasus, the notorious spyware developed by Israeli firm NSO Group.
Paolo Tarsitano@Cyber Security 360
//
Citizen Lab researchers have identified several countries as potential customers of Paragon Solutions' Graphite spyware, which was used in attacks against human rights defenders. The investigation mapped the infrastructure of the Israel-based spyware maker, identifying servers likely used by customers in Australia, Canada, Cyprus, Denmark, Israel, and Singapore. The findings follow WhatsApp's notification to numerous individuals that Paragon exploited the platform to deliver spyware to their phones.
The Citizen Lab report includes an infrastructure analysis of Graphite, a forensic analysis of infected devices belonging to members of civil society, and a closer look at the spyware's use in Canada and Italy. Meta (WhatsApp) confirmed these details were pivotal to their ongoing investigation into Paragon which allowed them to fix a zero-click exploit.
Paragon’s executive chairman, John Fleming, responded that Citizen Lab shared only a "very limited amount of information" beforehand, "some of which appears to be inaccurate," while declining to specify what was inaccurate. Despite Paragon's claims of selling only to democracies, the report raises concerns about potential abuse, suggesting their safeguards may not be sufficient.
Recommended read:
References :
- infosec.exchange: Researchers mapped out the infrastructure of spyware maker Paragon Solutions, and say they were able to identify servers likely used by customers in several countries: Australia, Canada, Cyprus, Denmark, Israel, and Singapore. Paragon’s executive chairman John Fleming said Citizen Lab shared in advance "very limited amount of information, some of which appears to be inaccurate." He declined to say what was inaccurate exactly.
- The Citizen Lab: In our first investigation into Israel-based spyware company, Paragon Solutions, we begin to untangle multiple threads connected to the proliferation of Paragon's mercenary spyware operations across the globe. This report includes an infrastructure analysis of Paragon’s spyware product, called Graphite; a forensic analysis of infected devices belonging to members of civil society; and a closer look at the use of Paragon spyware in both Canada and Italy. —
- techcrunch.com: Researchers name several countries as potential Paragon spyware customers
- CyberInsider: Paragon’s Spyware ‘Graphite’ Used in WhatsApp Attacks
- securityaffairs.com: WhatsApp fixed zero-day flaw used to deploy Paragon Graphite spyware
- Zack Whittaker: Researchers at Citizen Lab have named several countries as potential customers of Paragon's Graphite spyware, which Citizen Lab says was used in a widespread campaign targeting human rights defenders in Italy.
- Metacurity: Australia, Canada, Cyprus, Denmark, Israel, and Singapore likely bought Paragon spyware, Citizen Lab
- The Hacker News: Six Governments Likely Use Israeli Paragon Spyware to Hack IM Apps and Harvest Data
- BleepingComputer: WhatsApp patched zero-day flaw used in Paragon spyware attacks
- Cyber Security 360: Italia spiata: svelata la rete dello spyware Paragon Graphite
- hackread.com: Israeli Spyware Graphite Targeted WhatsApp with 0-Click Exploit
- The Register - Security: Paragon spyware deployed against journalists and activists, Citizen Lab claims
- Christoffer S.: A First Look at Paragon's Proliferating Spyware Operations" investigates Paragon Solutions, an Israeli spyware vendor founded in 2019 that sells a product called Graphite.
- IT-Connect: Une faille zero-click sur WhatsApp a été exploitée par un spyware de Paragon, à l'aide d'un simple document PDF.
- Zack Whittaker: This week's edition of ~ this week in security ~ includes a look at Citizen Lab's report revealing Paragon spyware customers and victims, CISA scrambling to contact fired staff after court reverses layoffs, and Wiz joining Google Cloud. Plus, a brand new cyber cat, and more. Sign up/RSS: Read online: Donate/support:
info@thehackernews.com (The@The Hacker News
//
North Korea-linked APT group ScarCruft has been identified deploying a new Android spyware dubbed KoSpy, targeting Korean and English-speaking users. The spyware was distributed through fake utility apps on the Google Play Store and third-party app stores like APKPure. At least five malicious applications, masquerading as File Manager, Phone Manager, Smart Manager, Software Update Utility, and Kakao Security, were used to trick users into installing the spyware onto their devices.
The malicious apps offer the promised functionality to avoid raising suspicion while stealthily deploying spyware-related components in the background. The spyware is designed to collect a wide range of data from compromised devices, including SMS messages, call logs, device location, files in local storage, screenshots, keystrokes, Wi-Fi network information, and the list of installed applications. It's also equipped to record audio and take photos. The apps have since been removed from the app marketplace.
Recommended read:
References :
- infosec.exchange: NEW: North Korean government hackers snuck spyware onto the official Android app store, and tricked a few people to download it, according to Lookout.
- techcrunch.com: North Korean government hackers snuck spyware on Android app store
- The DefendOps Diaries: KoSpy: Unmasking the North Korean Spyware Threat
- PCMag UK security: Suspected North Korean Hackers Infiltrate Google Play With 'KoSpy' Spyware
- BleepingComputer: New North Korean Android spyware slips onto Google Play
- bsky.app: A new Android spyware named 'KoSpy'Â is linked to North Korean threat actors who have infiltrated Google Play and third-party app store APKPure through at least five malicious apps. https://www.bleepingcomputer.com/news/security/new-north-korean-android-spyware-slips-onto-google-play/
- The Record: A North Korean nation-state group tracked as APT37 or ScarCruft placed infected utilities in Android app stores as part of an espionage campaign, according to researchers
- www.scworld.com: Android spyware ‘KoSpy’ spread by suspected North Korean APT
- securityaffairs.com: North Korea-linked APT group ScarCruft spotted using new Android spyware KoSpy
- bsky.app: A new Android spyware named 'KoSpy'Â is linked to North Korean threat actors who have infiltrated Google Play and third-party app store APKPure through at least five malicious apps.
- The Hacker News: The North Korea-linked threat actor known as ScarCruft is said to have been behind a never-before-seen Android surveillance tool named KoSpy targeting Korean and English-speaking users.
- securityonline.info: North Korea’s APT ScarCruft Places Spyware on Google Play
- securityaffairs.com: North Korea-linked APT group ScarCruft used a new Android spyware dubbed KoSpy to target Korean and English-speaking users.
- Secure Bulletin: New Android spyware “KoSpy� linked to North Korean APT37
- securityonline.info: North Korean ScarCruft APT Targets Users with Novel KoSpy Android Spyware
- Carly Page: North Korean-linked hackers uploaded Android spyware to Google Play. The spyware, which collects an “extensive amount� of sensitive data, was downloaded more than 10 times before Google removed it, according to Lookout
|
|
FlagThis - #spyware