Full Report
2025-04-09 • NCSC UK • ASD, BND, Bundesamt für Verfassungsschutz, Canadian Centre for Cyber Security (CCCS), FBI, NCSC UK, New Zealand National Cyber Security Centre (NZ NCSC), NSA • apk.badbazaar Open article on Malpedia
Analysis Summary
# Threat Actor: BADBAZAAR and MOONSHINE (Mentioned in joint advisory)
## Attribution & Identity
The summary refers to two distinct spyware families, **BADBAZAAR** and **MOONSHINE**, detailed in a joint advisory by multiple international cybersecurity and intelligence agencies (including NCSC UK, FBI, NSA, CCCS, etc.). Specific attribution is not detailed in the provided context snippet, which focuses on the victims and the malware itself. The focus is on the malware operation rather than a specific named state-sponsored group.
## Activity Summary
The article summarizes an advisory concerning the operations of the **BADBAZAAR** and **MOONSHINE** spyware families, which are actively targeting various ethnic and civil society groups.
## Tactics, Techniques & Procedures
The context explicitly mentions the use of sophisticated **Spyware**. Specific TTP details (like network connections or file modifications) are not provided in this summary, only the primary technique (deploying spyware).
## Targeting
- Sectors: Civil society actors, likely including human rights organizations and political advocacy groups.
- Geography: Groups associated with Uyghur, Taiwanese, and Tibetan communities.
- Victims: Specific organizations are not listed in the provided context snippet, only the targeted communities.
## Tools & Infrastructure
- Malware families used: **BADBAZAAR** and **MOONSHINE** (both identified as spyware).
- Infrastructure (C2, domains, IPs - defang URLs): Not provided in the context snippet.
## Implications
The use of BADBAZAAR and MOONSHINE spyware indicates targeted espionage operations focused on monitoring and infiltrating sensitive ethnic and political communities, suggesting potential state-backed surveillance activities against dissidents or advocates.
## Mitigations
Mitigations are referenced as being part of the full advisory but are not detailed in this summary extraction. General mitigation would focus on detecting and removing the identified spyware families from targeted endpoints.