25 March 2021

Chinese hackers used Facebook to target dissidents, activists with iOS, Android malware


Chinese hackers used Facebook to target dissidents, activists with iOS, Android malware

Facebook said it has disrupted a cyberespionage operation orchestrated by China-backed hackers that has been targeting activists, journalists and dissidents predominantly among Uyghurs living abroad.

The threat actor behind this campaign is believed to be a hacker group known as Earth Empusa or Evil Eye. The malicious actor used Facebook to distribute links to malicious websites hosting malware.

According to Facebook’s Mike Dvilyanski and Nathaniel Gleicher, the hackers used various tactics and techniques to achieve their goals like setting up malicious websites disguised as popular Uyghur and Turkish news sites and using hacked legitimate websites to deliver iOS malware known as INSOMNIA.

The group also used fake accounts on Facebook posing as journalists, students, human rights advocates or members of the Uyghur community to trick people they targeted into clicking on malicious links, and created websites masquerading as third-party Android app stores there they published malicious Uyghur-themed applications designed to infect devices with the ActionSpy or PluginPhantom Android spyware.

“Our industry peers have been tracking parts of this activity as being driven by a single threat actor broadly known as Earth Empusa, or Evil Eye, or PoisonCarp. Our investigation confirmed that the activity we are disrupting today closely aligns with the first two — Earth Empusa or Evil Eye. While PoisonCarp shares some TTPs including targeting and use of some of the same vendor-developed malware, our on-platform analysis suggests that it is a separate cluster of activity,” according to a blog post.

Facebook said it blocked malicious domains from being shared on its platform, removed the group’s accounts and notified people it believes were targeted by this threat actor.

Back to the list

Latest Posts

Free VPN apps on Google Play turned Android devices into residential proxies

Free VPN apps on Google Play turned Android devices into residential proxies

The threat actor behind this scheme profits by selling access to the residential proxy network to third parties.
28 March 2024
Cyber spies strike Indian government and energy sectors

Cyber spies strike Indian government and energy sectors

The operation involved phishing emails delivering the HackBrowserData info-stealer.
28 March 2024
Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

97 zero-day flaws were exploited in-the-wild in 2023, marking an increase of over 50% compared to 2022.
27 March 2024