Uyghur community targeted in spearphishing campaign likely by Chinese government

Members of the World Uyghur Congress (WUC) were targeted in March with a malware-laced version of a legitimate Uyghur language tool—likely part of a broader pattern of Chinese state-linked attacks designed to surveil and silence the Uyghur diaspora.

According to research from Citizen Lab, a trojanized version of UyghurEditPP, a trusted open-source text editor, was circulated via spearphishing emails to senior WUC members, with links to malware that profiled victims’ systems, exfiltrated personal data, and could deploy further malicious plugins.

The attack wasn’t especially technically groundbreaking, but it was effective in its targeting. Impersonating a partner organization, attackers sent messages urging recipients to “test” an updated version of the software—a hacked version of a tool originally authored by a known Uyghur developer. Once installed, the malicious file connected to command-and-control domains themed with culturally significant Uyghur words such as Tengri and Anar.

Citizen Lab found that this malware shared hallmarks of other China-linked spyware operations: mimicry of trusted developers, use of outdated but functional backdoors, and infrastructure tied to hosting platforms frequently abused by state-sponsored actors. Though attribution remains cautious, the tactics are consistent with China’s well-documented playbook for repressing exiles through digital means. The incident reflects a disturbing global reality: diaspora communities are under siege in the digital realm.