Paul Rascagneres

Ongoing EvilEye Campaigns Targeting CCP Adversaries

Volexity has recently uncovered ongoing campaigns by EvilEye, a Chinese state-backed threat actor, targeting three of the five groups the Chinese Communist Party (CCP) refers to as the “Five Poisons”. The targeted groups are members of the Tibetan community, the Uyghur ethnic group, and Taiwanese nationals. Volexity’s research has identified both currently active and historic activity for these campaigns. Volexity also identified related campaigns from this threat actor specifically targeting the Uyghur ethnic group back in 2019 and 2020.

The ongoing campaigns consist of two elements, malicious mobile applications and fake websites, which are created by the attacker to facilitate exploitation of end users by way of zero or n-day exploits. The three Android malware families being deployed include new versions of BADBAZAAR, as well as two previously undocumented families. In addition to these Android malware families, there is compelling evidence that EvilEye has developed an iOS implant and tried to distribute it via the Apple App Store.

This presentation outlines the current, ongoing campaigns; delves into the technical details of the Android malware families involved; discusses the threat actor’s command-and-control (C2) infrastructure and configuration; and reveals how the threat actor builds communities to distribute their malware through trusted platforms. The presentation also explores overlaps between the campaigns and explains links to historic activity.

Paul Rascagneres is a principal threat researcher at Volexity. He performs investigations to identify new threats. He has presented his findings in several publications and at international security conferences. He has been involved in security research for 10 years, mainly focusing on malware analysis, malware hunting, and more specifically on advanced persistent threat (APT) campaigns and rootkit capabilities.