Names | Evil Eye (Volexity) | |
Country | ![]() | |
Motivation | Information theft and espionage | |
First seen | 2019 | |
Description | (Volexity) Volexity has been able to identify at least 11 different Uyghur and East Turkistan websites that have been strategically compromised and leveraged as part of a series of attack campaigns. In some cases, the websites have been continuously leveraged to attack visitors going back at least four years. While it is not always possible to tie some observed activity to a specific threat group, Volexity believes that at least two Chinese APT groups are responsible for the majority of the attack activity described in this blog. In many cases where the malicious websites were in operation but Volexity did not observe an active payload, the URLs followed a somewhat distinctive pattern. In almost all instances, the URLs from these sites were loaded via an iFrame. These URLs are typically loaded in plaintext without any sort of obfuscation. However, in two instances, one of the earlier instances identified on the Uyghur Academy website, and one on the website of the World Uyghurs Writers Union, obfuscation was applied by way of multiple iFrames, and with the URL itself being obfuscated. Volexity has also observed similar URL patterns and even doppelganger domains leveraged to target Tibetan interests as well. Volexity believes there is likely overlap between these two sets of activity. Volexity currently tracks the above listed activity as a group under the moniker Evil Eye. The Evil Eye threat actor is also responsible for targeting users with Android exploits and malware. | |
Observed | Sectors: Uyghurs. | |
Tools used | INSOMNIA, IRONSQUIRREL. | |
Operations performed | Jan 2020 | Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant <https://www.volexity.com/blog/2020/04/21/evil-eye-threat-actor-resurfaces-with-ios-exploit-and-updated-implant/> |
Information | <https://www.volexity.com/blog/2019/09/02/digital-crackdown-large-scale-surveillance-and-exploitation-of-uyghurs/> |
Last change to this card: 22 April 2020
Download this actor card in PDF or JSON format
Previous: Equation Group
Next: Evilnum
Thailand Computer Emergency Response Team (ThaiCERT) Follow us on![]() ![]() |
Report incidents |
|
![]() |
+66 (0)2-123-1234 | |
![]() |
report@thaicert.or.th | |
![]() |
Download PGP key |