Home > List all groups > Evil Eye

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Evil Eye

NamesEvil Eye (Volexity)
CountryChina China
MotivationInformation theft and espionage
First seen2019
Description(Volexity) Volexity has been able to identify at least 11 different Uyghur and East Turkistan websites that have been strategically compromised and leveraged as part of a series of attack campaigns. In some cases, the websites have been continuously leveraged to attack visitors going back at least four years. While it is not always possible to tie some observed activity to a specific threat group, Volexity believes that at least two Chinese APT groups are responsible for the majority of the attack activity described in this blog.

In many cases where the malicious websites were in operation but Volexity did not observe an active payload, the URLs followed a somewhat distinctive pattern. In almost all instances, the URLs from these sites were loaded via an iFrame.

These URLs are typically loaded in plaintext without any sort of obfuscation. However, in two instances, one of the earlier instances identified on the Uyghur Academy website, and one on the website of the World Uyghurs Writers Union, obfuscation was applied by way of multiple iFrames, and with the URL itself being obfuscated.

Volexity has also observed similar URL patterns and even doppelganger domains leveraged to target Tibetan interests as well. Volexity believes there is likely overlap between these two sets of activity. Volexity currently tracks the above listed activity as a group under the moniker Evil Eye. The Evil Eye threat actor is also responsible for targeting users with Android exploits and malware.
ObservedSectors: Uyghurs.
Operations performedJan 2020Evil Eye Threat Actor Resurfaces with iOS Exploit and Updated Implant

Last change to this card: 22 April 2020

Download this actor card in PDF or JSON format

Previous: Equation Group
Next: Evilnum

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
PGP Download PGP key