A coalition of international cybersecurity agencies has issued a joint advisory warning about the use of advanced spyware tools targeting individuals and groups connected to Tibet, Taiwan, East Turkestan, and the Falun Gong movement.
The advisory, released on April 9, was led by the UK’s National Cyber Security Centre (NCSC) in collaboration with cybersecurity authorities from Australia, Canada, Germany, New Zealand, and the United States, including the FBI and NSA.
The document details the deployment of two sophisticated spyware tools, known as Badbazaar and Moonshine, which are being used to compromise mobile devices of individuals viewed as politically sensitive by the Chinese government. The tools reportedly allow malicious actors to access users’ real-time locations, record audio, activate cameras, and extract messages, photos, and other personal data without the victim’s knowledge.
According to the NCSC, the spyware campaigns are believed to be state-sponsored and are aimed at individuals and organizations that advocate for causes considered threatening to the Chinese Communist Party (CCP). These include supporters of Taiwanese independence, Tibetan activists, Uyghur Muslims from the Xinjiang region, pro-democracy advocates in China, and practitioners of the banned Falun Gong spiritual movement.
The spyware is being distributed through seemingly legitimate mobile applications that have been “trojanised”, altered to contain hidden surveillance functions. Notably, some apps were customized to appeal specifically to Tibetan and Uyghur users, such as “Tibet One” and “Audio Quran.” Others mimic well-known communication tools like WhatsApp and Skype to deceive users into installing them.
“These spyware tools are being used to monitor, intimidate, and silence individuals far beyond China’s borders,” said Paul Chichester, Director of Operations at the NCSC. “We are working with our international partners to raise awareness and provide the information necessary to help protect those most at risk.”
The joint advisory includes detailed technical information and countermeasures intended for app developers, social media platforms, and cybersecurity professionals. It also outlines practical steps for at-risk users, such as installing apps only from trusted sources, avoiding jailbreaking or rooting devices, regularly auditing app permissions, and reporting suspicious links or messages.
The warning follows a growing body of evidence linking Chinese state-affiliated actors to long-term cyber-espionage campaigns. In December 2024, the Tibetan Computer Emergency Readiness Team (TibCERT) published a report detailing sustained attacks on Tibetan organizations over two decades. Earlier, in April 2024, Tibet-focused cybersecurity group Turquoise Roof revealed that hackers linked to the Chinese state had targeted the Tibetan government-in-exile and the office of the Dalai Lama.
In a related development, cybersecurity company ESET reported in March 2024 that a group known as Evasive Panda, with ties to the Chinese state, had been carrying out targeted attacks on Tibetan users since September 2023.
The latest advisory underscores the continued threat of digital surveillance facing civil society groups connected to China’s so-called “sensitive” regions and issues. Authorities encourage individuals working in these communities to take proactive steps to secure their devices and digital communications.
