Weaponized Words: Uyghur Language Software Hijacked to Deliver Malware

April 28, 2025, 8:51 a.m.

Description

This analysis details a spearphishing campaign targeting senior members of the World Uyghur Congress (WUC) in March 2025. The attackers used a trojanized version of a legitimate Uyghur language text editor to deliver Windows-based malware for remote surveillance. While not technically advanced, the malware delivery was well-customized to reach the Uyghur community. This incident is part of a broader pattern of digital transnational repression against Uyghur diaspora by actors likely aligned with the Chinese government. The malware profiled systems, sent information to remote servers, and could load additional malicious plugins. The campaign demonstrates the ongoing digital threats facing exiled Uyghur communities and the exploitation of software meant to support marginalized cultures.

External References

https://citizenlab.ca/2025/04/uyghur-language-software-hijacked-to-deliver-malware
https://otx.alienvault.com/pulse/680f07377e6aaa99a9dafcc4
Tags
spearphishing
trojanized software
2025-04-28
gheyretdetector backdoor
remote surveillance
uyghureditpp trojan
digital transnational repression
uyghur
diaspora targeting
world uyghur congress

Date

  • Created: April 28, 2025, 4:42 a.m.
  • Published: April 28, 2025, 4:42 a.m.
  • Modified: April 28, 2025, 8:51 a.m.

Indicators

  • d6874907d0e558cba614313c60b84c912b10ca3c539661a3885daaadb1cb2b2b
  • a9e76af3f3b04b9dd65e2e4dec8d5b00f8f67b420809da8b742651cc86e4270f
  • 94a87dadeaac24bbc26c85d032b86a45cfd131516666e8e5d888f78986d1e993
  • 70af9a31d4470502a39d71ca566d604317a5ecbf9181a64379c9ee761e2f95ab
  • https://tengri.ooguy.com/gheyret/Update
  • wanar.gleeze.com
  • tengri.ooguy.com
  • anar.gleeze.com
Download all indicators here!

Attack Patterns

  • GheyretDetector backdoor
  • UyghurEditPP trojan

Additional Informations

  • NGO
  • Government
  • China