Full Report
In a joint advisory with Western allies, the National Cyber Security Centre sounded the alarm about variants of BADBAZAAR and MOONSHINE. The post BadBazzar and Moonshine malware targets Taiwanese, Tibetan and Uyghur groups, U.K. warns appeared first on CyberScoop.
Analysis Summary
# Threat Actor: BADBAZAAR and MOONSHINE Operators (Attributed to Chinese Government)
## Attribution & Identity
Previously linked to the **Chinese government** by cybersecurity researchers (e.g., Lookout identified BADBAZAAR in 2022, Citizen Lab identified MOONSHINE in 2019). The joint advisory included agencies from the UK (NCSC), Australia, Canada, Germany, New Zealand, the US (FBI, NSA).
## Activity Summary
The actors are deploying two spyware variants, **BADBAZAAR** (iOS and Android) and **MOONSHINE** (Android-only), to conduct espionage. The ultimate goal is to collect data of value to the Chinese state. The actors masquerade malicious apps as legitimate tools of interest to targeted communities, sometimes distributing them via official app stores. Previous activity for MOONSHINE dates back to at least 2019.
## Tactics, Techniques & Procedures
- **Trojanizing legitimate apps:** Adversaries are packaging spyware within apps relevant to target communities (e.g., a Uyghur language Quran app).
- **Distribution via official app stores:** Apps appear in official application marketplaces.
- **Social Engineering/Delivery:**
- MOONSHINE has been shared via Telegram channels and WhatsApp links, often sent by threat actors posing as journalists or fake personas.
- BADBAZAAR spreads through social media platforms in addition to app stores.
- **Data Exfiltration Capabilities:** Access and download location data, messages, and photos.
- **Device Compromise:** Ability to access microphones and cameras on targeted phones.
- **Permission Abuse:** MOONSHINE samples seek permissions relevant to the fake app's functionality, making them appear unsuspicious while enabling covert data collection.
## Targeting
- **Sectors:** Groups focused on Taiwanese independence, Tibetan rights, Uyghur Muslims, democracy advocacy, and Falun Gong.
- **Geography:** Targeting of **Taiwanese**, **Tibetan**, and **Uyghur** groups.
- **Victims:** Individuals belonging to or affiliated with the aforementioned political and religious groups.
## Tools & Infrastructure
- **Malware Families used:**
- **BADBAZAAR:** Mobile malware with iOS and Android variants.
- **MOONSHINE:** Android-only spyware.
- **Infrastructure (C2, domains, IPs):** Not explicitly detailed in the provided context, beyond distribution vectors (official app stores, Telegram, WhatsApp).
## Implications
This activity represents state-sponsored cyber espionage aimed at suppressing dissident voices and monitoring groups perceived as threats by the Chinese state. The use of trojanized legitimate-seeming apps and known messaging platforms indicates a focus on supply chain compromise and spear-phishing/watering hole tactics against politically sensitive individuals.
## Mitigations
- **Application Vetting:** Exercise extreme caution when installing applications, particularly those marketed specifically to high-risk communities, even if found on official app stores.
- **Platform Specific Defenses:** Be aware that BADBAZAAR targets both iOS and Android, while MOONSHINE targets Android.
- **Messaging Caution:** Do not click links or download files received via WhatsApp or Telegram from unknown or newly established contacts, especially if they involve seemingly helpful or topical applications.
- **Device Security:** Limit application permissions requested by users; monitor for unusual resource (mic/camera) access or excessive data usage.