The UK’s National Cyber Security Centre (NCSC) issued an urgent warning regarding two spyware variants, MOONSHINE and BADBAZAAR. These malware tools are part of a targeted surveillance campaign, aimed at communities such as Uyghur, Tibetan, and Taiwanese individuals, and civil society organizations. The NCSC, alongside international partners, revealed that these variants have been linked to Chinese-backed hacking groups, POISON CARP and APT15. The spyware is used to steal personal data from infected devices and track victims in real time.
MOONSHINE and BADBAZAAR are delivered through seemingly legitimate apps that attract specific communities. For example, “Tibet One,” an iOS app, was used to deliver BADBAZAAR spyware to Tibetan users. Another example, “Audio Quran,” presented itself as a religious app but used MOONSHINE to target Uyghur Muslims.
These apps were promoted on community-specific online platforms, such as Telegram and Reddit, making them more likely to be downloaded by victims.
Once installed, the spyware has the ability to access sensitive data from a victim’s device, including microphone and camera footage, text messages, contact information, and location data. The malware also allows remote monitoring of real-time activities, which can facilitate harassment or intimidation. The NCSC’s advisory also highlighted that these threats are part of a broader attempt to silence and intimidate specific political and ethnic groups that challenge Chinese authority.
The NCSC, along with cybersecurity agencies from Australia, Canada, Germany, New Zealand, and the United States, has urged individuals at risk to take preventive actions.
Recommendations include downloading apps only from official stores, regularly reviewing app permissions, and being cautious with suspicious links shared on social media. The NCSC has also called for stronger monitoring and removal processes by app store operators to prevent the spread of such spyware.