Meta

Taking Action Against Hackers in China

Facebook threat intelligence analysts and security experts work to find and stop a wide range of threats including cyber espionage campaignsinfluence operations and hacking of our platform by nation-state actors and other groups. As part of these efforts, our teams routinely disrupt adversary operations by disabling them, notifying users if they should take steps to protect their accounts, sharing our findings publicly and continuing to improve the security of our products.

Today, we’re sharing actions we took against a group of hackers in China known in the security industry as Earth Empusa or Evil Eye — to disrupt their ability to use their infrastructure to abuse our platform, distribute malware and hack people’s accounts across the internet. They targeted activists, journalists and dissidents predominantly among Uyghurs from Xinjiang in China primarily living abroad in Turkey, Kazakhstan, the United States, Syria, Australia, Canada and other countries. This group used various cyber espionage tactics to identify its targets and infect their devices with malware to enable surveillance. 

This activity had the hallmarks of a well-resourced and persistent operation while obfuscating who’s behind it. On our platform, this cyber espionage campaign manifested primarily in sending links to malicious websites rather than direct sharing of the malware itself. We saw this activity slow down at various times, likely in response to our and other companies’ actions to disrupt their activity. 

We identified the following tactics, techniques and procedures (TTPs) used by this threat actor across the internet:

We shared our findings and threat indicators with industry peers so they too can detect and stop this activity. To disrupt this operation, we blocked malicious domains from being shared on our platform, took down the group’s accounts and notified people who we believe were targeted by this threat actor.

Threat Indicators:

Hashes

MD5 Hash
Description
Malware Family
10c1f38305792a0f925e8a2cf9482ce3
Keyboard
Plugin Phantom
3c0a20f0726032ad816e670971509b2d
قۇرئان كەرىم (The Holy Quran)
Plugin Phantom
01fe88068e43c2276f7d8bbf54824f0f
系统服务 (System Service)
Plugin Phantom
fd8da30dd9e45bd31af79a9652d50ece
地球 (Earth)
Plugin Phantom
10748ca7648d26316b4857b6139ca93d
AwazlikKitap
Plugin Phantom
a5199e6f1904f5a532a562fbb9d5abc6
Uighur Keyboard
Plugin Phantom
670a389a93b82ccf198dd7789a865096
Ekran
Action Spy
9bc5fec740bdb4d93f2da9b2db75dc3f
Uyghurs History
Action Spy

Domains

Domain
Description
misran[.]org
Hosting PluginPhantom malware
apkprue[.]info
Hosting PluginPhantom malware
www.apkpure[.]bz
Hosting PluginPhantom malware
gotossl[.]ml
Hosting ActionSpy malware
geo2ipapi[.]org
Hosting ActionSpy malware
anayurt[.]net
Hosting ActionSpy malware
preservtyg[.]com
Watering hole with malicious iframe
uhtpuerdfbnm[.]com
Watering hole with malicious iframe
uyghurhaber[.]com
Watering hole with malicious iframe
newyorkingsite[.]com
Watering hole with malicious iframe
istiqlaihaber[.]com
Watering hole with malicious iframe
uyghur-news[.]com
Watering hole with malicious iframe
strunhvgpk[.]com
Contained malicious javascript resembling previously reported exploit code which installed INSOMNIA
sslportservices[.]com
Connected to infrastructure hosting malicious javascript
playgoog1e[.]com
Believed to be used to host Android malware
www.apkhl[.]pw
Believed to be used to host Android malware
uyghur-soft-market[.]com
Believed to be used to host Android malware
icptime[.]com
Believed to be used to host Android malware