A trusted Uyghur-language text editor has been weaponized to target exiled Uyghur activists, says a new investigation by Citizen Lab.
In this campaign, threat actors are exploiting culturally significant software to conduct digital surveillance against the Uyghur diaspora, a community already under intense pressure from the Chinese government.
This incident is the latest in a series of digital attacks against Uyghur, Tibetan, and other diaspora communities. For years, Chinese state-aligned actors have used malware, phishing, and spyware, often hidden in culturally relevant apps, to monitor, intimidate, and silence critics abroad.
Spearphishing Attack Targets World Uyghur Congress
The attack began with a spearphishing email sent to senior members of the World Uyghur Congress (WUC), an entity representing Uyghurs in exile. The email, disguised as a message from a partner organization, asked recipients to download and test a Uyghur-language software tool.
The attached Google Drive link led to a password-protected archive containing a trojanized version of UyghurEditPP, a legitimate open-source text editor widely used in the community.
While the application seemed genuine, it secretly installed malware upon execution, which profiled the infected system, sent information to remote command-and-control servers, and was capable of downloading additional malicious plugins for further surveillance.
Cultural Tools as Attack Vectors
The malefactors’ strategy was highly customized: by compromising a tool developed by a trusted Uyghur programmer, they increased the chances that targets would install the malware without question. The campaign’s infrastructure included domains and servers named with Uyghur and Central Asian cultural references such as “tengri” and “anar”-to blend in with legitimate community resources.
Citizen Lab’s technical analysis revealed that the malware could collect system information, including the machine name, username, IP address, OS version, upload and download files, and execute arbitrary commands via custom plugins.
By using modular plugins, bad actors can tailor their operations to each target, which helps them maintain stealth and flexibility.
A Long-Term, Multi-Stage Operation
Evidence points to the campaign being part of a broader, long-term effort. The actors behind it registered multiple domains impersonating the UyghurEditPP developer as early as May last year, setting up fake download pages to distribute their trojanized software.
Later, they shifted to new domains, possibly targeting different segments of the Uyghur community or evading detection.
Both clusters of domains used the same fraudulent Microsoft TLS certificate and were hosted on infrastructure known to be abused by malefactors.
Attribution and Implications
Although Citizen Lab could not categorically name the attacker, the methods and targets bear a close resemblance to past China-centric cyber-espionage attacks. The campaign is an example of the threat of transnational repression that happens in the digital space where trusted cultural tools are turned against communities they were meant to benefit in the first place.
The psychological impact of such attacks runs deep, inducing insecurity, fear, and distress within the targeted groups. Since Uyghurs remain repressed in their home country and under surveillance abroad, weaponizing language tools is an alarming trend in trying to control and silence a vulnerable diaspora.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.