Turkistanpress

Turkistanpress, operating from China, functions as a digital platform implicated in large-scale cyber operations targeting a specific minority diaspora. Its activities involve compromising websites associated with the diaspora's cause and deploying sophisticated attack frameworks. These operations leverage malicious tools like Scanbox to profile website visitors and create deceptive doppelganger domains mimicking legitimate services such as Turkistan Times, specifically designed to harvest user credentials. The platform actively exploits vulnerabilities in mobile ecosystems, particularly Android devices, to deliver ARM executable malware payloads. This multi-vector approach facilitates extensive unauthorized data collection and surveillance capabilities against the targeted community.

The organization demonstrates specialized competencies in conducting persistent monitoring campaigns, utilizing compromised web infrastructure as a primary attack surface. A key technique involves the abuse of Google OAuth mechanisms to gain illicit access to victims' Gmail accounts, enabling the monitoring of communications and contact networks. Mobile users are singled out for tailored attacks exploiting platform-specific weaknesses to deploy malware designed for persistent access. These coordinated efforts across web and mobile channels underscore Turkistanpress's focus on enabling comprehensive surveillance and intelligence gathering against its designated targets. The scale of these operations is evidenced by the compromise of over eleven distinct websites related to the diaspora community during a single documented campaign.