🇨🇳

POISON CARP

APT Group Information theft and espionage 2 zero-day CVEs ETDA ✓

Also Known As 3 names

Earth Empusa Evil Eye Red Dev 16

Target Countries 7

Countries highlighted in red

Australia Canada China India Kazakhstan Turkey United States

Sectors Targeted

Computer Systems Design and Related Services 54151 Public Administration 92 Tibetan and Uyghur activists as well as those who are interested in their causes Data Processing, Hosting, and Related Services 51821

Details

Origin 🇨🇳 CN

Last Updated 01 Jun 2022

Malware Families 2

poisoncarp

actionspy

MITRE ATT&CK 25

T1003 T1027 T1027.002 T1036 - Masquerading T1055 T1059.001 T1070.004 T1071 T1102 - Web Service T1104 - Multi-Stage Channels T1106 T1125 - Video Capture T1505 - Server Software Component T1548.002 T1553 - Subvert Trust Controls T1566 - Phishing T1583 - Acquire Infrastructure T1587 - Develop Capabilities T1588 - Obtain Capabilities T1589 - Gather Victim Identity Information T1590 - Gather Victim Network Information T1592 - Gather Victim Host Information T1596 - Search Open Technical Databases T1598 - Phishing for Information T1608 - Stage Capabilities

Related Zero-Days 2

CVE-2020-6418 CVE-2025-43200

Known Names 6 entries

Poison Carp Citizen Lab

Evil Eye Volexity

Earth Empusa Trend Micro

Red Dev 16 PWC

EvilBamboo Volexity

Sentinel Taurus Palo Alto

Observed Target Countries 7

Based on ETDA data — countries highlighted in red

Australia Canada China Kazakhstan Syria Turkey USA

Description

(Citizen Lab) • Between November 2018 and May 2019, senior members of Tibetan groups received malicious links in individually tailored WhatsApp text exchanges with operators posing as NGO workers, journalists, and other fake personas. The links led to code designed to exploit web browser vulnerabilities to install spyware on iOS and Android devices, and in some cases to OAuth phishing pages. This campaign was carried out by what appears to be a single operator that we call POISON CARP. • We observed POISON CARP employing a total of eight Android browser exploits and one Android spyware kit, as well as one iOS exploit chain and iOS spyware. None of the exploits that we observed were zero days. POISON CARP overlaps with two recently reported campaigns against the Uyghur community. The iOS exploit and spyware we observed was used in watering hole attacks reported by Google Project Zero, and a website used to serve exploits by POISON CARP was also observed in a campaign called “Evil Eye” reported by Volexity. The Android malware used in the campaign is a fully featured spyware kit that has not been previously documented. • POISON CARP appears to have used Android browser exploits from a variety of sources. In one case, POISON CARP used a working exploit publicly released by Exodus Intelligence for a Google Chrome bug that was fixed in source, but whose patch had not yet been distributed to Chrome users. In other cases, POISON CARP used lightly modified versions of Chrome exploit code published on the personal GitHub pages of a member of Qihoo 360’s Vulcan Team, a member of Tencent’s Xuanwu Lab, and by a Google Project Zero member on the Chrome Bug Tracker. • This campaign is the first documented case of one-click mobile exploits used to target Tibetan groups, and reflects an escalation in the sophistication of digital espionage threats targeting the community.

Tools Used 12

ActionSpy BadBazaar BADSIGNAL BADSOLAR Bourbon IceCube IRONSQUIRREL MOONSHINE PoisonCarp Scotch Whisky several exploits in iOS, Android and Google Chrome

Operations 5

2018 Digital Crackdown: Large-Scale Surveillance and Exploitation of Uyghurs https://www.volexity.com/blog/2019/09/02/digital-crackdown-large-scale-surveillance-and-exploitation-of-uyghurs/

2020-01 Immediately after the publications from Google and Volexity, the Evil Eye threat actor went fairly quiet. They removed their malicious code from compromised websites, command and control (C2) servers were taken down, and various hostnames stopped resolving. This largely remained the case until early January 2020, when Volexity observed a series of new activity across multiple previously compromised Uyghur websites. https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/

2020 Early While tracking Earth Empura, also known as POISON CARP/Evil Eye, we identified an undocumented Android spyware we have named ActionSpy. https://blog.trendmicro.com/trendlabs-security-intelligence/new-android-spyware-actionspy-revealed-via-phishing-attacks-from-earth-empusa/

2022 Lookout Discovers Long-running Surveillance Campaigns Targeting Uyghurs https://www.lookout.com/blog/uyghur-surveillance-campaign-badbazaar-moonshine

2023-06 EvilBamboo Targets Mobile Devices in Multi-year Campaign https://www.volexity.com/blog/2023/09/22/evilbamboo-targets-mobile-devices-in-multi-year-campaign/

Reports & References 3

https://citizenlab.ca/2019/09/poison-carp-tibetan-groups-targeted-with-1-click-mobile-exploits/ https://www.volexity.com/blog/2019/09/02/digital-crackdown-large-scale-surveillance-and-exploitation-of-uyghurs/ https://googleprojectzero.blogspot.com/2019/08/a-very-deep-dive-into-ios-exploit.html

ETDA Profile

Poison Carp, Evil Eye

Origin

China

First Seen 2018

Motivation

Information theft and espionage

View on ETDA APT Groups ↗