Spyware Alert: BADBAZAAR and MOONSHINE Target Civil Society and Ethnic Groups

A recent advisory from the National Cyber Security Centre (NCSC UK) and its international partners has shed light on the activities of malicious cyber actors using sophisticated spyware to target specific groups of people. The advisory focuses on two particular spyware variants, BADBAZAAR and MOONSHINE, and their use in targeting Uyghur, Taiwanese, and Tibetan groups, as well as civil society actors.

The NCSC and its partners have observed that BADBAZAAR and MOONSHINE are specifically used against individuals connected to topics the Chinese state considers a threat. This includes, but is not limited to, those involved with:

• Taiwanese independence
• Tibetan rights
• Uyghur Muslims and other ethnic minorities from China’s Xinjiang Uyghur Autonomous Region
• Democracy advocacy (including Hong Kong)
• The Falun Gong spiritual movement

This targeting affects various individuals and organizations, including NGOs, journalists, businesses, and activists. The advisory also warns that the “indiscriminate way this spyware is spread online” means that infections can spread beyond the intended targets.

The advisory details how MOONSHINE and BADBAZAAR function as trojans. These malicious applications are disguised as legitimate apps and distributed through app stores or online file-sharing services. Users are tricked into downloading and installing these apps, which then exploit device vulnerabilities or user-granted permissions to access sensitive information. This information can include:

• Location data (including real-time tracking)
• Microphone and camera access
• Messages, photos, and files stored on the device
• Device information

The actors behind these campaigns often exploit the interests of at-risk groups by creating apps that would appeal to them, such as apps in their native languages or with region-specific content. Examples include the TibetOne and Uyghur Quran apps.

The NCSC advisory provides several mitigation measures to help individuals protect themselves against these threats. Key recommendations include:

• Downloading apps only from official app stores: Using official stores like the Google Play Store or Apple App Store provides a greater level of assurance as these stores typically scan for malware.
• Keeping devices and apps up to date: Regularly installing updates is crucial as they often include security patches.
• Avoiding rooting or jailbreaking devices: Modifying devices in this way bypasses security controls and increases vulnerability to attacks.
• Reviewing apps and their permissions: Regularly checking installed apps and restricting permissions can minimize data exposure.

The advisory emphasizes that following these guidelines can significantly reduce the risk of infection.

Related Posts:

• Earth Minotaur: MOONSHINE Exploit Kit and DarkNimbus Backdoor Threaten Multi-Platform Security
• TAG-112 Targets Tibetan Community via Waterholing Attack
• Chinese APT41 Group Breaches Taiwanese Research Institute
• Serbian Spyware Scandal: Civil Society Under Siege
• TikTok Faces Civil Lawsuit for COPPA Violations, Millions of Children Affected