In a new report, researchers at Citizen Lab have exposed a spearphishing campaign targeting senior members of the World Uyghur Congress (WUC), living in exile. The attackers hijacked a trusted Uyghur language text editing software, weaponizing it to deliver Windows-based malware designed for surveillance and control.
“In March 2025, senior members of the World Uyghur Congress (WUC) living in exile were targeted with a spearphishing campaign aimed at delivering Windows-based malware capable of conducting remote surveillance against its targets,” the Citizen Lab report states.
This campaign underscores a disturbing pattern where software intended to empower repressed communities is instead co-opted into tools of digital transnational repression.
The malware was embedded in a trojanized version of UyghurEditPP, a legitimate open-source text editor developed to support the Uyghur language. The original developer was known and trusted within the Uyghur community, making the deception particularly insidious.
“The malware was delivered through a trojanized version of a legitimate open source word processing and spell check tool developed to support the use of the Uyghur language,” the researchers detailed.
Once executed, the malicious software would profile the system, send collected information to a remote command-and-control (C2) server, and could potentially download additional malicious plugins to the infected machine.
The backdoor embedded in the software was designed to collect and transmit:
- Machine name
- Username
- IP address
- Operating system version
- Unique device identifiers (via MD5 hash)
It communicated with C2 domains like tengri[.]ooguy[.]com and fallback addresses such as anar[.]gleeze[.]com, cleverly disguised using culturally significant Uyghur and Turkic language terms to avoid raising suspicion.
“The use of known words further highlights the targeted nature of this campaign,” Citizen Lab researchers noted.
The malware’s modular design allowed operators to deploy additional capabilities only after verifying a system as a legitimate target.
The attack is part of a wider trend of digital transnational repression — the use of hacking, malware, and online surveillance to silence diaspora communities abroad.
“Digital transnational repression arises when governments use digital technologies to surveil, intimidate, and silence exiled and diaspora communities,” Citizen Lab explained.
The Uyghur diaspora, alongside Tibetans and Hong Kong activists, has been a persistent target of such repression by actors likely aligned with the Chinese government.
The command-and-control servers were hosted in IP ranges known to be abused by threat actors and used a self-signed, spoofed Microsoft.COM certificate, further indicating a state-level sophistication behind the campaign.
While Citizen Lab stops short of definitive attribution, the tactics, targets, and infrastructure strongly resemble previously documented campaigns attributed to Chinese government-linked actors.
“Trojanizing their projects by implanting malware causes harm beyond the immediate phishing attempt because it sows fear and uncertainty about the very tools aiming to support and preserve the community,” the report emphasizes.
Citizen Lab calls for greater protection of these vulnerable cultural digital tools and recommends vigilance among users when downloading software — particularly for communities at risk.