article featured image


A spyware tool known as BadBazaar, has been discovered targeting ethnic and religious minorities in China, mainly the Uyghurs in Xinjiang.

The new Android spyware was originally discovered by MalwareHunterTeam and linked to Bahamut, a threat actor primarily active in the Middle East. Upon further analysis by Lookout, the malware was found to be new spyware using the infrastructure seen before during the 2020 campaigns against Uyghurs by the state-backed hacking group APT15, identified also as Pitty Tiger.

Additionally, according to BleepingComputer, Lookout observed a second campaign using new variants of Moonshine, a spyware discovered in 2019.


This spyware has been observed using over 100 different apps since 2018 to infect Uyghurs specifically, by promoting them on communication channels populated by the ethnic group. The mock apps cover a wide range of categories, such as dictionaries, religious practice companions, battery optimizers and video players. However, no evidence was found of these apps reaching Google Play, so the distribution is most likely to take place via third-party stores or websites.

Some examples of apps promoted by BadBazaar.


BadBazaar is capable of collecting data such as:

  • Precise location
  • List of installed apps
  • Call logs with geolocation data
  • Contacts list
  • SMS
  • Complete device info
  • Wi-Fi info
  • Phone call recording
  • Take pictures
  • Exfiltrate files or databases
  • Access folders of high interest (images, IM app logs, chat history, etc.)

Furthermore, while analyzing the C2 infrastructure, which contained errors that exposed some of the admin panels and the GPS coordinates of test devices, Lookout analysts were able to find connections to the Chinese defense contractor Xi’an Tian He Defense Technology.

The Moonshine Variants

In 2019, Citizen Lab reported an Android exploit targeting Tibetan activist groups while using spear phishing messages through WhatsApp. Starting in July 2022, researchers uncovered a new campaign using 50 apps that push new versions of the Moonshine spyware.

These apps are promoted on Uyghur-speaking Telegram channels, with malicious users branding them as trustworthy to other members. The newer malware version is still modular, with even more modules meant to extend the tool’s surveillance capabilities.

The data Moonshine steals from compromised devices include network activity, IP address, hardware info, and more, while some of the C2 commands supported are:

  • Call recording
  • Contact collection
  • Retrieve files from a location specified by the C2
  • Collect device location data
  • Exfiltrate SMS messages
  • Camera capture and microphone recording
  • Collect WeChat data

Just as in BadBaazar`s case, Lookout has found evidence that actors behind the new Moonshine version are Chinese, with both code comments and server-side API documentation being written in simplified Chinese.

If you liked this article, follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.

Author Profile

Mihaela Popa


Mihaela is a digital content creator for Heimdal® and the proud owner of an old soul and a curious mind. Passionate to learn and discover more about cybersecurity, she will gladly share her latest finds with you.

Leave a Reply

Your email address will not be published. Required fields are marked *