A persistent cyber espionage campaign, attributed to a threat actor named EvilBamboo, has been targeting Tibetan, Uyghur, and Taiwanese individuals and organizations.
Furthermore, this campaign involves the creation of fraudulent Tibetan websites and social media profiles, which are used to distribute browser-based exploits to the targeted users. EvilBamboo, previously known as Evil Eye, has been active since at least 2019, employing watering hole attacks to deliver spyware to Android and iOS devices. The group is also associated with other aliases such as Earth Empusa and POISON CARP.
The attacks against Apple’s mobile operating system exploited a zero-day vulnerability in the WebKit browser engine, known as Insomnia, which was subsequently patched by Apple in early 2019. Furthermore, Meta detected the threat actor using its platforms to distribute malicious websites hosting the malware. EvilBamboo is known to deploy Android malware like ActionSpy and PluginPhantom, disguised as dictionary, keyboard, and prayer apps on third-party app stores, to harvest sensitive data from compromised devices.
Recent discoveries by Volexity have linked three new Android espionage tools to EvilBamboo, including BADBAZAAR, BADSIGNAL, and BADSOLAR. These tools are distributed through various means, including fake websites, Telegram channels, and bogus social media profiles.
The campaign relies on users unwittingly installing backdoored apps, highlighting the importance of only downloading apps from trusted sources and the need for improved security mechanisms on official app stores.
EvilBamboo’s tactics involve creating fake websites and tailored personas, enabling them to build trusted communities for further exploitation and spyware distribution.