Cyber Threat Actor: Evil Eye
| Actor Type | Location | Known Incidents |
Nation State
|
China
|
14 incidents |
|---|
Profile
The threat actor is known by the alias Chinese APT and is identified as operating from China. Their activities focus on the Uyghur population, including activists, non‑governmental organizations, and human rights defenders, both within the Xinjiang Uyghur Autonomous Region and among the Uyghur diaspora abroad. The observed intent is to conduct surveillance and espionage, aiming to track physical movements, monitor communications, and gather personal data from targeted individuals.
Their typical tactics involve compromising websites that cater to Uyghur interests and using those sites as platforms for delivering malicious code. This includes the deployment of the Scanbox framework to profile visitors and transmit collected data via HTTP POST requests, as well as the use of the Evil Eye tracking mechanism that loads hidden iframes to gather browser and system information. Additionally, they have employed an Android exploit that forces the download of a 64‑bit ARM executable capable of exfiltrating extensive device details such as IMEI, IMSI, phone number, and network characteristics. The actor also abuses Google OAuth to gain unauthorized access to Gmail accounts through malicious applications hosted on doppelganger domains mimicking legitimate services like Google, the Turkistan Times, and the Uyghur Academy.
Attribution is publicly linked to Chinese APT groups operating from China, with the activity described as part of broader campaigns against communities perceived as threats to the Chinese Communist Party. Notable operations include the sustained compromise of at least eleven Uyghur and East Turkistan websites that have been leveraged for surveillance, the distribution of Android malware targeting mobile users, and the establishment of infrastructure designed to harvest Gmail credentials via deceptive OAuth applications. These efforts demonstrate a continued focus on digital espionage against Uyghur communities through a combination of web‑based tracking, mobile exploitation, and credential‑theft techniques.
