A sophisticated cyberattack targeted senior members of the World Uyghur Congress (WUC), the largest Uyghur diaspora organization, using a weaponized version of UyghurEditPP-a trusted open-source Uyghur language text editor.
This incident exemplifies the technical evolution of digital transnational repression and the exploitation of cultural software by state-aligned threat actors, likely linked to the Chinese government.
Infection Chain: Social Engineering Meets Technical Subterfuge
The attack began with a spearphishing email, impersonating a partner organization and referencing Ramadan to build trust.
.png
)
The email urged WUC members to download and test UyghurEditPP via a Google Drive link. The archive contained a trojanized version of the legitimate software, which, once executed, performed expected text editing functions but also installed a backdoor component named “GheyretDetector.exe”.
This backdoor exploited the trust placed in community-developed tools, a tactic made more effective by the scarcity of Uyghur-language software due to cultural suppression in China.
The malware’s technical core resided in the application’s MainFormLoad event, which triggered the release and persistent execution of the malicious payload. Persistence was achieved by creating a scheduled task (“gheyretUpdater”) that ran every five minutes, ensuring the malware survived system reboots and maintained continuous access to the infected host.
Technical Capabilities and Command Infrastructure
Once installed, the malware initiated a comprehensive system profiling routine. It collected device identifiers, usernames, IP addresses, operating system versions, and hashed hardware details.
This information was then transmitted to a remote command-and-control (C2) server, hardcoded as tengri[.]ooguy[.]com, with a backup of anar[.]gleeze[.]com-both domains chosen for their cultural resonance with Uyghur and Turkic communities.
The backdoor’s modular architecture allowed operators to deploy additional plugins for expanded functionality, such as file upload/download, arbitrary command execution, and further surveillance operations.
This plugin-based design enabled attackers to customize their toolkit for specific targets, maintaining operational stealth until a high-value system was identified.
The C2 infrastructure leveraged IP addresses hosted by Choopa LLC’s AS20473, a network frequently abused by Chinese threat actors.
Notably, the servers used a self-signed TLS certificate impersonating Microsoft, featuring deprecated cryptographic standards and a negative serial number-clear indicators of malicious intent and an attempt to evade detection by security tools.
Attribution, Impact, and Defensive Measures
According to the Report, While Citizen Lab did not conclusively attribute the campaign to a specific group, the tactics, targeting, and infrastructure closely mirror previous China-aligned cyber operations against Uyghur, Tibetan, and Hong Kong communities.
The attackers demonstrated deep knowledge of Uyghur cultural dynamics and diaspora needs, using social engineering and technical subversion to undermine trust in essential language preservation tools.
The broader context is China’s ongoing campaign of digital transnational repression, where malware, phishing, and online harassment are deployed to surveil, intimidate, and silence exiled communities.
The psychological impact is profound, fostering self-censorship and eroding confidence in digital resources vital for cultural survival.
Security experts recommend that at-risk communities:
- Only download software from official repositories or verified developer sites.
- Check for code-signing certificates and warnings about unknown publishers.
- Scrutinize domain names for typosquatting or impersonation.
- Remain vigilant for phishing attempts, especially those referencing cultural or religious events.
This incident highlights the urgent need for coordinated defense measures by host governments, tech platforms, and civil society to protect vulnerable diaspora communities from state-sponsored digital threats.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!
, the largest Uyghur diaspora organization.){kind=link}