Exiled Uyghur Activists Targeted With Windows Spyware Disguised as Uyghur Language Tool, Citizen Lab Reports

Sophisticated Phishing Campaign Targets Exiled Uyghur Activists: Hackers Hijack UyghurEdit++ to Deploy Spyware on WUC Leaders

By Uyghur Times Staff

April 28, 2025

In a sophisticated spear-phishing campaign uncovered last month, unknown hackers attempted to infect senior leaders of the World Uyghur Congress (WUC) with Windows-based spyware capable of remote surveillance. The attackers weaponized a legitimate open-source Uyghur language word processing and spell-check tool called UyghurEdit++, trojanizing it to deliver malware, according to a detailed report released Monday by the Citizen Lab at the University of Toronto.

The campaign, which showed signs of activity as early as May 2024, specifically targeted exiled Uyghur activists advocating against ongoing repression in East Turkistan (Xinjiang). Google sent government-backed attack warnings to several WUC members starting around March 5, 2025, prompting them to seek assistance from researchers and journalists.

“Such attacks are, of course, annoying and they show that we are fighting against a brutal Chinese government that is trying by all means to erase our voice,” said Erkin Zunun, one of the activists, in an interview with the International Consortium of Investigative Journalists and Paper Trail Media. “We are trying to be a voice for the voiceless, but China is trying to suppress that too.”

The Chinese Embassy in Germany did not reply to Paper Trail Media’s request for comment about the alleged attack.

Background on Uyghur Diaspora Digital Threats

Uyghur exiles, including those affiliated with the Munich-based WUC, have long faced digital transnational repression from actors linked to the Chinese government. This includes phishing, spyware deployment, online harassment, and family intimidation in East Turkistan to silence advocacy about mass detentions, forced labor, cultural erasure, and other grave human rights violations documented in UN reports and independent investigations.

Such attacks aim to monitor, disrupt, and discredit Uyghur voices abroad, limiting the flow of information about the situation in East Turkistan and influencing global opinion on Beijing’s policies.

Details of the March 2025 Spear-Phishing Campaign

The Citizen Lab investigation revealed that in mid-March 2025, WUC senior members received carefully crafted phishing emails impersonating trusted contacts, often from partner organizations. These emails included Google Drive links leading to password-protected RAR archives containing a malicious, modified version of UyghurEdit++ — a genuine tool originally developed to support Uyghur script typing on Windows.

Once executed, the trojanized software profiled the victim’s Windows system, retrieved additional illicit plugins, and enabled remote surveillance capabilities. While the malware itself was not highly advanced (no zero-day exploits or commercial-grade spyware like Pegasus), the delivery demonstrated deep knowledge of the Uyghur community: attackers replicated legitimate community resources to build trust and increase infection chances.

The researchers noted: “the delivery of the malware showed a high level of social engineering, revealing the attackers’ deep understanding of the target community.” Activity related to this operation dates back to at least May 2024, with infrastructure tied to hosting providers commonly used by threat actors.

Broader Implications for Uyghur Activists Abroad

This incident fits into a persistent pattern of Chinese state-linked cyber operations against Uyghur dissidents, as highlighted in parallel reporting from the International Consortium of Investigative Journalists (ICIJ) in its “China Targets” series. Researchers at Citizen Lab assess that threat actors close to Beijing were likely responsible, aligning with documented efforts to control diaspora networks and suppress cross-border information on East Turkistan.

Such attacks sow fear, uncertainty, and self-censorship among exiles, have been affecting advocacy work and eroding trust in digital tools essential for Uyghur language preservation and communication.