Home About NCSC NCSC Alerts and Advisories Spyware Campaigns Targeting Uyghur, Taiwanese, and Tibetan Groups Identified 

Spyware Campaigns Targeting Uyghur, Taiwanese, and Tibetan Groups Identified 

Published:

Apr 10, 2025

Updated:

AUG 11, 2025

Who can use this content?

Businesses and Organizations | Critical Infrastructure | Government | SME Owners

Advisory

The Australian Cyber Security Centre (ACSC) released an advisory on spyware BadBazaar and Moonshine that have been actively targeting vulnerable communities and activists in the Asia-Pacific region.

The Department of Information and Communications Technology (DICT), through the National Cyber Security Center (NCSC), issues this advisory to alert all PNG Government departments, agencies, and the general public about ongoing spyware operations targeting vulnerable communities and activists in the Asia-Pacific region. 

Background

According to the Australian Cyber Security Centre (ACSC), two separate Android spyware campaigns known as BadBazaar and Moonshine have been actively targeting Uyghur, Tibetan, and Taiwanese groups, including civil society actors, journalists, and political dissidents. 

1. BadBazaar Spyware 

BadBazaar is a custom Android malware attributed to the China-linked advanced persistent threat (APT) group APT15. It is primarily distributed through: 

  • Malicious apps disguised as legitimate communication and messaging tools 
  • Third-party Android app stores 
  • Direct sharing via compromised links or QR codes 

BadBazaar is capable of: 

  • Exfiltrating sensitive user data (calls, messages, location) 
  • Recording audio 
  • Uploading files from the device 
  • Harvesting contact lists and app data 

2. Moonshine Spyware 

Moonshine is another Android spyware family believed to be used by Chinese APT actors. It has been delivered via: 

  • Compromised websites that redirect users to malicious payloads 
  • Fake versions of popular social and news apps 

It collects: 

  • Device metadata 
  • Photos, messages, and stored files 
  • Data from encrypted apps like Signal and Telegram 

These campaigns have mainly targeted: 

  • Ethnic minority communities, particularly Uyghur and Tibetan individuals 
  • Taiwanese pro-democracy organizations 
  • Journalists and human rights defenders 
  • Diaspora and refugee groups 

Mitigation

To safeguard your organization’s data and stakeholders, the DICT and NCSC recommend the following actions: 

For Government Agencies and Civil Society Organizations: 

  • Educate Users: Raise awareness about suspicious apps and links, especially among individuals working with or belonging to targeted groups. 
  • Avoid Third-party App Stores: Only install apps from the official Google Play Store. 
  • Enforce Mobile Security Policies: Use mobile threat defense solutions to detect and block spyware. 
  • Monitor Network Traffic: Look for abnormal communications or data exfiltration behaviors from Android devices. 

For Individuals in High-risk Groups: 

  • Use Secure Messaging Apps (e.g., Signal, WhatsApp) and keep them updated 
  • Enable Two-Factor Authentication on all accounts 
  • Avoid Installing Unknown APK Files 
  • Update Android Devices Regularly to patch known vulnerabilities 

For more detailed information and the original advisory, please visit the ACSC alert: 
BadBazaar and Moonshine spyware targeting Uyghur, Taiwanese and Tibetan groups 

 
The NCSC and DICT remain committed to enhancing Papua New Guinea’s cybersecurity and protecting the digital safety of its citizens and institutions. 

For assistance or further inquiries, please contact the National Cyber Security Center (NCSC).