A trusted tool has turned traitor. A new Citizen Lab investigation reveals that UyghurEditPP, a legitimate open-source Uyghur-language text editor, has been weaponized to spy on members of the World Uyghur Congress (WUC). The attack, uncovered in March 2025, shows how threat actors have now shifted to exploiting trusted cultural tools to launch cyber-espionage campaigns against diaspora communities.
The attack started the old-fashioned way – with an email. WUC members received a spearphishing message posing as a partner organization. It offered what seemed like an innocuous task – download and test a Uyghur-language software tool. The email contained a Google Drive link to a password-protected archive. Inside? A booby-trapped version of UyghurEditPP.
The trojanized app looked and behaved like the real deal, right down to its interface. But hidden under the hood, it deployed malware designed to quietly burrow into the victims’ systems. Once installed, it could scoop up system information, upload or download files, and even run custom plugins for more complex operations.
A Custom Backdoor with a Uyghur Disguise
Citizen Lab’s technical teardown showed that the malware communicated with its command-and-control (C2) servers using domains like tengri.ooguy.com and anar.gleeze.com, borrowing heavily from Central Asian cultural references. These servers were hosted inside a cloud provider known for lax controls and frequent abuse by cybercriminals.
Adding to the deception were servers that presented fake TLS certificates impersonating Microsoft. It’s a clever ploy – browsers and security software often treat familiar certificates with less suspicion, helping the malicious traffic fly under the radar.
Not Just a One-Off: Evidence of Long-Term Planning
This wasn’t a quick-and-dirty operation. The attackers set up websites like gheyret.com and gheyret.net, designed to look like they belonged to Uyghur software developers. They even faked download pages for UyghurEditPP to make the malicious file seem legitimate.
Citizen Lab researchers believe the campaign reflects a high level of planning and resource investment, likely showing a long-term commitment to infiltrating Uyghur communities through digital means.
Also read: Global Cybersecurity Agencies Warn of Spyware Targeting Uyghur, Tibetan, and Taiwanese Communities
Bigger Than One Organization
While this particular campaign targeted WUC, it’s part of a broader pattern of digital transnational repression. Over the past decade, multiple investigations have documented attempts to harass, monitor, and silence Uyghur activists and dissidents abroad.
The methods vary. From phishing attacks and spyware campaigns to social engineering and disinformation, threat actors have consistently adapted their tactics. The latest twist—weaponizing culturally significant software—is a troubling evolution. By hijacking trusted tools, attackers erode the very foundations of community trust.
It’s akin to someone weaponizing your own language. It’s psychological warfare, not just technical. “Targets have reported experiencing feelings of insecurity, guilt, fear, uncertainty, mental and emotional distress, and burnout from these attacks,” the Citizen Lab researchers said based on earlier similar investigations.
Inside the Malware’s Playbook
According to Citizen Lab’s technical findings, the backdoor bundled with UyghurEditPP was no ordinary spyware. It featured modular plugins, allowing attackers to tailor their operations based on the target. Among its core capabilities:
- System profiling: Collects information about the infected device
- File operations: Uploads, downloads, and executes files
- Command execution: Runs arbitrary system commands on demand
- Custom plugins: Expands functionality without redeploying new malware
By blending legitimate software functionality with covert surveillance capabilities, the attackers achieved a potent balance of usability and stealth.
Attribution: A Familiar Playbook, An Unknown Actor
Citizen Lab stopped short of directly attributing the attack to a known government or hacking group. However, the techniques, targets, and infrastructure bear a strong resemblance to past China-aligned cyber operations aimed at Uyghur individuals and organizations.
This campaign’s sophistication suggests access to considerable resources and a deep understanding of Uyghur cultural dynamics—both hallmarks of state-sponsored cyber-espionage.
Digital Safety Lessons for At-Risk Communities
The WUC attack is a wake-up call not just for Uyghur activists but for every marginalized or targeted community online. Trust, once broken, is hard to rebuild. Software—even familiar, open-source tools—must now be treated with a layer of healthy skepticism.
Citizen Lab advises:
- Verify downloads: Always source software directly from official repositories, not third-party links.
- Use endpoint protection: Invest in reputable antivirus and behavior-monitoring tools.
- Employ two-factor authentication: Harder for attackers to hijack accounts, even with malware present.
- Stay updated: Keep systems patched and subscribe to cybersecurity advisories relevant to your community.
The Personal Cost of Cyber-Conflict
Cyberattacks like this one aren’t just technical skirmishes. They’re personal. They target trust, language, identity—the invisible threads that hold communities together.
Weaponizing UyghurEditPP shows a level of creativity and cruelty. It’s a digital assault on an already persecuted community, designed to monitor, intimidate, and ultimately control.
As this campaign shows, defending against cyberthreats isn’t just about firewalls and patches. It’s also about defending culture, community, and the very right to communicate safely.
