Spyware-Laced Uyghur Language Tool Used to Target Exiled Activists in Sophisticated Campaign

A newly uncovered cyber-espionage campaign in March 2025 has revealed that senior members of the World Uyghur Congress (WUC) living in exile were targeted with Windows malware designed for surveillance purposes.

The attack hinged on a compromised version of UyghurEdit++, an open-source word processing and spell-checking tool tailored for the Uyghur language. Although the malware itself lacked advanced functionality, its delivery method was highly tailored to deceive and infect members of the Uyghur diaspora, according to Citizen Lab at the University of Toronto.

Citizen Lab initiated its investigation after several individuals received Google alerts indicating government-sponsored attempts to breach their accounts—some as early as March 5, 2025. The attackers used spear-phishing emails that appeared to come from trusted partners and included Google Drive links leading to password-protected RAR archives.

Inside the archive was the weaponized UyghurEdit++ software, which, once opened, profiled the infected system and communicated back to a remote command-and-control server (tengri.ooguy[.]com). Written in C++, the spyware also had the capability to fetch additional malicious plugins and execute commands via those modules.

While the exact origin of the attack remains unconfirmed, the tailored nature of the malware, intimate knowledge of the Uyghur community, and the focus of the campaign strongly point to alignment with Chinese state-sponsored operations.

Citizen Lab emphasized that this incident is part of a broader trend of digital transnational repression, wherein authoritarian regimes use cyber tools to monitor and suppress exiled dissident communities. In China's case, the surveillance is designed to curtail diaspora ties to Xinjiang, limit the flow of information regarding human rights abuses, and influence global narratives around its policies in the region.