A coordinated spear phishing campaign has targeted senior members of the exiled Uyghur community, delivering surveillance malware through an altered version of a trusted language tool, according to a new report from researchers at The Citizen Lab.
In March 2025, senior officials from the Munich-based World Uyghur Congress (WUC) received Google alerts about government-backed attempts to breach their accounts. A forensic investigation by The Citizen Lab revealed that the attacks deployed Windows malware disguised in a trojanized version of UyghurEditPP, an open-source text editor widely used within the Uyghur diaspora.
While the malware itself was not technically advanced, its method of delivery demonstrated a deep understanding of the Uyghur exile community and exploited trusted relationships. The tool was initially developed by a known figure within the community.
The attack infrastructure included two clusters of malicious domains, one mimicking the UyghurEditPP developer and another using Uyghur-language terms in its URLs, both tied to IP addresses managed by Choopa LLC, a provider previously linked to cyber threat actors. The campaign is believed to have been in development since May 2024.
Once installed, the malware profiled infected systems and connected to a command-and-control server to receive further instructions, including uploading or downloading files and executing additional code. The attackers’ apparent goal was to gather intelligence on legitimate Uyghur community members.
The Citizen Lab believes that the attackers were likely aligned with Chinese state interests, given the targets and the tactics used.
