Uyghur Rights Activists Targeted by Sophisticated Malware Campaign
In a concerning development reported in March 2025, senior members of the World Uyghur Congress (WUC), who are currently living in exile, have become victims of a sophisticated cyber-attack. This attack involves a Windows-based malware designed for surveillance purposes, specifically targeting individuals who advocate for the rights of the Uyghur people.
The recent spear-phishing campaign utilized a trojanized version of UyghurEdit++, a legitimate open-source word processing and spell-checking tool created to support users of the Uyghur language. This targeted approach highlights not only the intent to disrupt communications within the Uyghur community but also the lengths to which perpetrators are willing to go to infiltrate their digital environments.
The Citizen Lab, a digital rights research laboratory based at the University of Toronto, published a report on the investigation, stating that although the malware itself may not exhibit advanced technical capabilities, the method of delivery was highly tailored to effectively reach its intended audience. The report indicates that activities linked to this campaign may have commenced as early as May 2024, indicating a prolonged and ongoing effort to surveil individuals associated with the WUC.
The investigation was initiated after several targets received alarming notifications from Google, alerting them that their accounts had potentially been compromised in attacks believed to be backed by government entities. Notably, some of these warnings were issued on March 5, 2025, raising immediate concerns within the community about their digital security.
The spear-phishing emails appeared to come from trusted contacts within partner organizations and included links to Google Drive. However, clicking on these links would inadvertently lead to the download of a password-protected RAR archive that contained the malicious version of UyghurEdit++. This compromised software was equipped to profile the infected Windows system and exfiltrate sensitive information to an external server identified as tengri.ooguy[.]com.
To add to the threat, the spywarewritten in C++is capable of not only gathering information but also downloading additional malicious plugins and executing commands on the infected device, thereby increasing the risk for targeted individuals significantly.
These findings represent a troubling continuation of a series of highly-focused cyber assaults aimed at the Uyghur diaspora, underscoring a pattern of digital transnational repression. While the specific perpetrators of these attacks remain unidentified, the sophisticated techniques employed and the attackers' deep understanding of the Uyghur community strongly suggest that these efforts are aligned with the Chinese governments ongoing surveillance operations.
The Citizen Lab articulated that China's extensive campaign of transnational repression targets Uyghurs both on the basis of their ethnic identity and activities. The overarching aim of these surveillance efforts appears to be to control the diaspora's connections to their homeland, manage the flow of information regarding human rights abuses in Xinjiang, and influence international public perception of China's policies in the region.
