In a joint advisory, the United Kingdom’s National Cyber Security Centre (NCSC), along with international partners from five countries, has revealed details about two spyware variants — BADBAZAAR and MOONSHINE — actively targeting individuals from Uyghur, Tibetan, and Taiwanese communities, as well as civil society organizations linked to these regions.
The advisory, backed by cybersecurity agencies from Australia, Canada, Germany, New Zealand, and the United States, warns that these spyware tools are part of an ongoing digital surveillance campaign aimed at monitoring and intimidating groups that the Chinese state perceives as a threat to its authority.
The NCSC says these cyber intrusions are not random but instead deliberately designed to infiltrate smartphones, harvest sensitive personal data, and track individuals in real time — often without their knowledge.
Five Nation Cyber Advisory Targets Spyware Risks
The report is the result of collaboration between several global cybersecurity and intelligence entities, including:
- Australian Cyber Security Centre
- Canadian Centre for Cyber Security
- German Federal Intelligence Service and Federal Office for the Protection of the Constitution
- New Zealand National Cyber Security Centre
- U.S. Federal Bureau of Investigation (FBI) and National Security Agency (NSA)
This international effort aims to raise awareness about the growing risk to civil society actors, particularly those connected with regions and topics such as Taiwan, Tibet, the Xinjiang Uyghur Autonomous Region, democracy activism, and the Falun Gong spiritual movement.
Spyware Designed for Covert Surveillance
The two spyware variants — BADBAZAAR and MOONSHINE — have been found embedded in mobile apps. These malicious programs can covertly access device microphones, cameras, messages, photos, and even track location data, giving remote hackers the ability to monitor targets in real time.
Some infected apps mimic popular platforms like WhatsApp or Skype, while others are standalone applications designed to appear trustworthy, especially to users from the affected regions.
For example, the Tibet One app — an iOS application written in Tibetan — was briefly available on the Apple App Store in December 2021. Though it has since been removed, experts say it was specifically created to deploy BADBAZAAR spyware. The app was circulated in targeted Telegram channels and Reddit forums where members of the Tibetan community gather.
Similarly, the Audio Quran app used the Uyghur language in its file name and description to lure users. It delivered the MOONSHINE spyware, focusing on targeting Uyghur Muslims with content purporting to offer religious audio material.
“These apps are being disguised and marketed in ways that build trust within these communities,” the advisory warns.
Political and Ethnic Groups in the Crosshairs
The groups most at risk from these spyware tools include:
- Supporters of Taiwan’s independence
- Tibetan rights organizations and activists
- Uyghur Muslims, especially those inside or originally from Xinjiang
- Advocates for democratic reform in China
- Followers of the Falun Gong faith
The Chinese state has long considered these groups and movements as politically sensitive. Over the years, reports have highlighted Beijing’s efforts to control or silence dissent, often extending these efforts beyond its borders through surveillance, intimidation, and disinformation.
Taiwan, a self-governed island democracy, is viewed by China as a breakaway province. Tibet has seen decades of resistance to Chinese rule. Meanwhile, the Uyghur population has reportedly faced widespread repression, including detainment in what Chinese authorities refer to as “vocational training centers,” widely believed to be reeducation camps.
How to Stay Protected
As part of the advisory, the NCSC and its international partners are urging individuals at risk to take extra precautions when downloading or using mobile apps.
The key recommendations include:
- Use only official app stores like the Apple App Store or Google Play Store.
- Check app permissions regularly and ensure they are appropriate for the app’s function.
- Review app updates and investigate changes to behavior or requests for new access.
- Avoid clicking on suspicious links shared via social media or chat platforms.
- Report unusual messages or files that appear out of context or come from unknown sources.
They also encourage civil society groups, journalists, and activists to stay informed about emerging threats and to consider using security tools such as VPNs, encrypted messaging platforms, and secure mobile devices.
Alongside the user-facing advice, the NCSC and partner agencies have also called on app store operators and developers to be vigilant. They are encouraged to implement stronger screening and removal processes for malicious apps and to share threat intelligence with cybersecurity researchers and law enforcement agencies.
Looking Ahead
While the spyware tools BADBAZAAR and MOONSHINE are not new discoveries, the current campaign reveals evolving strategies in how such tools are deployed — not only through malware but also via culturally modified social engineering efforts.
The international coalition behind this report hopes that by shedding light on these techniques, they can limit the reach of these cyber intrusions and safeguard the rights and freedoms of vulnerable communities around the world.
