China Hackers Used Trojanized UyghurEditPP App to Target Uyghur Activists

China-linked hackers targeted Uyghur activists using a Trojanized UyghurEditPP app in a spear-phishing campaign, Citizen Lab researchers reveal.

Citizen Lab reveals a targeted spear phishing campaign aimed at Uyghur activists, deploying surveillance malware disguised as a legitimate Uyghur language tool. Learn about the attack methods and suspected Chinese government involvement.

In March 2025, several leading figures within the World Uyghur Congress (WUC), an international organization based in Munich that advocates for the rights of the Uyghur people, became the targets of a carefully orchestrated cyber espionage attempt.

Researchers at the University of Toronto’s Citizen Lab report that these individuals received warnings from Google, indicating that their online accounts were under attack, allegedly, by state-sponsored actors.

The method used in this campaign was spear phishing, which is a targeted form of attack where emails are crafted to appear legitimate and trustworthy to specific individuals. In this case, the malicious emails impersonated a known contact from a partner organization of the WUC.

These emails contained links to Google Drive, which, if clicked, would lead to the download of a password-protected archive file. This archive held a compromised version of UyghurEditPP, a genuine open-source word processing and spell-check tool specifically designed for the Uyghur language.

The recipients had no idea that this seemingly harmless application was Trojanized, meaning it contained a hidden backdoor. Once the infected UyghurEditPP was executed on a victim’s computer, this backdoor would silently gather system information, including the machine name, username, IP address, operating system version, and a unique hash derived from the hardware. This data was then transmitted to a remote command-and-control (C2) server.

The server’s operators could then send instructions back to the infected device, enabling them to perform various malicious actions such as downloading files from the target, uploading additional malicious files (including further malware), and executing commands through uploaded plugins.

The Citizen Lab’s analysis of the campaign’s infrastructure reveals two distinct command-and-control clusters. The first, likely active between June 2024 and February 2025, used domain names mimicking the UyghurEditPP tool’s developer (gheyretcom, gheyretnet, and uheyretcom).

The second, targeting the WUC between December 2024 and March 2025, used subdomains registered through Dynu Services, incorporating Uyghur words but not directly referencing the tool or its developer.

Both clusters shared the same Microsoft certificate and used IP addresses belonging to Choopa LLC, a hosting provider used by various cyber threat actors. This dual infrastructure either indicates attackers’ shifting tactics or targeting of different segments within the Uyghur community.

Furthermore, researchers highlighted the high level of social engineering in the delivery method of the surveillance malware, which itself was not as technologically advanced. The attackers demonstrated a deep understanding of the Uyghur community, leveraging the trust of the original developer of UyghurEditPP, known to members of the WUC.

This suggests a highly customized and targeted operation, possibly beginning in May 2024. The campaign likely involved (PDF) ties to the Chinese government, aligning with their known efforts to conduct transnational repression against the Uyghur community.