Tsering Dhundup
DHARAMSHALA, April 10: Global cybersecurity agencies have issued a joint advisory warning about sophisticated spyware targeting individuals and communities connected to Tibet, Taiwan, East Turkestan and Falun Gong.
The UK’s National Cyber Security Centre (NCSC), in collaboration with cybersecurity agencies from Australia, Canada, Germany, New Zealand, and the United States, including the FBI and NSA, released the warning on April 9, 2025.
The advisory identifies two spyware variants, ‘Badbazaar’ and ‘Moonshine’, being deployed by malicious cyber actors to compromise the mobile devices of the communities deemed a threat to the Chinese Communist Party. These tools collect sensitive data without the user being aware, including real-time location information, audio recordings, camera access, messages, and photos from infected devices, and are believed to serve the interests of the Chinese state.
Groups most at risk from these surveillance tools include supporters of Taiwan’s independence, Tibetan rights organisations and activists, Uyghur Muslims (especially those from Xinjiang), advocates for democratic reform in China, and followers of the Falun Gong faith. These communities have been considered politically sensitive by the Chinese government, which has reportedly made extensive efforts to control or silence dissent both within and beyond its borders.
The spyware operates by “trojanising” legitimate-appearing apps, embedding malicious functions that run without users’ knowledge. Examples include apps specifically designed to appeal to targeted communities, such as “Tibet One” and “Audio Quran”, apps were tailored to attract members of the Tibetan and Uyghur communities, respectively. Other trojanised apps mimic popular services like WhatsApp and Skype to trick users into installation.
Spyware-infected apps are being used to target individuals and organisations worldwide who are tied to activities “considered by the Chinese state to pose a threat to its stability”, NCSC said in a press release.
Paul Chichester, Director of Operations at the NCSC, emphasised the commitment to protecting vulnerable individuals, stating, “With our international and industry partners, we are committed to helping equip individuals at risk of online surveillance with the information they need to counter spyware threats. We are seeing a rise in digital threats designed to silence, monitor, and intimidate communities across borders, and the use of these two forms of spyware is clearly unacceptable.”
The advisory includes comprehensive technical analysis and mitigation advice for app store operators, developers, and social media companies. It also offers specific recommendations for at-risk individuals, including using only trusted app stores, avoiding jailbreaking devices, regularly reviewing installed apps and their permissions, reporting suspicious messages, and maintaining vigilance when using social media or accessing shared files and links.
In addition to the main advisory, authorities have published a supplementary document with in-depth technical breakdowns and guidance for those who may have been compromised by the malware. Together, these resources highlight the growing threat of digital surveillance against civil society actors, particularly those involved in causes deemed sensitive by the Chinese state.
This advisory follows several recent reports documenting similar activities. In December 2024, the Tibetan Computer Emergency Readiness Team (TibCERT) published findings on coordinated cyber espionage campaigns against Tibetan organisations over the past 20 years.
Earlier, in April 2024, Turquoise Roof, a team of Tibet-focused cybersecurity analysts, detailed how hackers with links to the Chinese government targeted members of the Tibetan government-in-exile and the office of the Dalai Lama.
In March 2024, cybersecurity firm ESET identified a Chinese-linked threat group called Evasive Panda responsible for targeted cyberattacks against Tibetan users since September 2023.
