'Earth Minotaur' Exploits WeChat Bugs, Sends Spyware to Uyghurs

The emerging threat actor, potentially a Chinese state-sponsored APT, is using the known exploit kit Moonshine in cross-platform attacks that deliver a previously undisclosed backdoor called "DarkNimbus" to ethnic minorities, including Tibetans.

Red hooded figures with blacked-out faces with three yellow stars in the upper left of the frame
Source: BeeBright via Shutterstock

A newly identified cyber-threat operation is using a known exploit kit to target security vulnerabilities in the popular WeChat app, to deliver previously unreported spyware to both Android and Windows devices belonging to the Tibetan and Uyghur ethnic-minority communities in China.

A group that researchers at Trend Micro are tracking as Earth Minotaur is wielding the Moonshine exploit kit, which first surfaced in 2019, to deliver a backdoor called DarkNimbus. The malware can steal data and monitor device activity, they revealed in a blog post published today, while Moonshine typically targets vulnerabilities in instant messaging apps on Android devices to deliver the malware. It also exploits multiple known vulnerabilities in Chromium-based browsers. The latest version of the kit discovered by Trend Micro has been upgraded with "newer vulnerabilities and more protections to deter analysis of security researchers," the researchers wrote.

The attacks begin as carefully crafted messages aiming to lure victims into clicking on an embedded malicious link, which typically claims to be related to government announcements; relevant Chinese news topics, such as COVID-19, religion, or stories about Tibetans or Uyghurs; or Chinese travel information. Attackers "disguise themselves as different characters on chats to increase the success of their social engineering attacks," the researchers wrote.

Related:LockBit Ransomware Developer Arrested in Israel

The ultimate payload, DarkNimbus, is "a comprehensive Android surveillance tool" that starts by collecting basic information from the infected device, installed apps, and geolocation systems. It goes on to steal personal information, including contact lists, phone call records, SMS, clipboard content, browser bookmarks, and conversations from multiple messaging apps. DarkNimbus also can record calls, take photos and screenshots, file operations, and execute commands, the researchers added.

Novel Cyberattack Actor, Familiar Tools & Targets

The researchers believe Earth Minotaur is a new threat actor, though the group isn't the first to use the Moonshine toolkit, they wrote.

"In the first report of Moonshine exploit kit in 2019, the threat actor using the toolkit was named Poison Carp," according to the post. However, the researchers did not find connections between Earth Minotaur and that group, they said.

"The backdoor DarkNimbus had been developed in 2018 but was not found in any of Poison Carp's previous activity," the researchers wrote. "Therefore, we categorize them as two different intrusion sets." At this time, there are at least 55 Moonshine exploit kits being actively used by threat actors in the wild, they said.

Related:CISA Releases Draft of National Cyber Incident Response Plan

Moonshine was first discovered as part of a malicious campaign against the Tibetan community, and it's also associated with previous malicious activity against Uyghurs. Both groups are ethic minorities in China that face discrimination and surveillance by the Chinese government, and both are the key targets of Earth Minotaur, the researchers said. While it's likely the group is an advanced persistent threat (APT) backed by China, the researchers did not have enough evidence to make a definitive connection, they said.

Defending Against Persistent Threats

Earth Minotaur's activities and use of Moonshine share similarities with two previously identified threat campaigns. One, identified in 2002, spread an Android malware called BadBazaar along with Moonshine via Uyghur-language sites and social media.

BadBazaar then resurfaced later in broader attacks against users in several countries that delivered the malware via Trojanized versions of the Signal and Telegram messaging apps, in an attack vector similar to the one Earth Minotaur was seen employing.

To prevent similar attacks, Trend Micro suggested some basics. One, that people exercise caution when clicking on links embedded on suspicious messages, "as these may lead to malicious servers like those of Moonshine compromising their devices," the researchers wrote.

Related:Supply Chain Risk Mitigation Must Be a Priority in 2025

They also recommended regularly updating applications to the latest versions, as Moonshine takes advantage of flaws to conduct its malicious activities.

"These updates offer essential security improvements to protect against known vulnerabilities," the researchers wrote.

Read more about:

DR Global Asia Pacific

About the Author

Elizabeth Montalbano, Contributing Writer

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights