November 10, 2022

MOONSHINE: Evolving Android Surveillanceware by Chinese APT POISON CARP To Target Tibetans and Uyghurs

An image of a sinister looking moon shining down


  • MOONSHINE is a surveillanceware family attributed to the Chinese hacking group POISON CARP.
  • In November 2022, Lookout published its in-depth analysis of MOONSHINE, which was previously discovered by Citizen Lab.
  • MOONSHINE, alongside BadBazaar, another malware family attributed to Chinese APT group APT15, have been known to target Tibetan and Uyghur minorities within China. Lookout has been tracking BadBazaar since November 2022..
  • Lookout Mobile Endpoint Security customers are protected.

Contact us if you have been targeted or would like to consult with our research team on mobile threats.

What is MOONSHINE Android surveillanceware?

MOONSHINE is a family of Android surveillanceware that is attributed to the Chinese-backed hacking group POISON CARP, also known as Evil Eye and Earth Empusa. The spyware has been observed to target Tibetan and Uyghur communities in the name of keeping track of religious extremism or separatism.

MOONSHINE was first discovered in 2019 by Citizen Lab as part of a campaign targeting Tibetans. In November 2022, Lookout Threat Intelligence Lab researchers published its findings on updated variants of the spyware that was aimed at the Uyghur community.

Lookout observed that the deployment goal of MOONSHINE is to collect extensive data on its target. These can include call records, contacts, SMS, and WeChat data from Tencent wcdb database files. The spyware can also access the microphone and camera, as well as retrieve files from a location specified by the C2.

Early 2019 variants required excessive permissions and attempted to replace native libraries to collect data, and had artifacts suggesting that the app was still under development. In the second half of 2022, Lookout researchers acquired more than 50 unique samples that required fewer permissions and file replacements, and were trojanized versions of popular social media platforms like WhatsApp or Telegram, or Muslim-related apps.

Lookout’s analysis was published alongside a discovery of the Android variant of BadBazaar, a surveillanceware family that was also targeting Uyghurs. In 2023, Lookout also analyzed an iOS version of BadBazaar that was targeting the Tibetan community.

Technical analysis of MOONSHINE

In 2019, Citizen Lab reported an Android exploit targeting Tibetan activist groups members using spear phishing messages through WhatsApp. This exploit, and the associated surveillance tool that was installed on compromised devices, was dubbed MOONSHINE and attributed to the APT group, POISON CARP. The exploit followed a multi-stage installation process where the initial link sent to a targeted victim downloaded an executable that installed subsequent modules, named Whisky, Bourbon, and Scotch, to overwrite legitimate native libraries in popular apps like Facebook and WeChat. These modules allowed the attacker to maintain persistence by establishing communications with a C2 server through web sockets and initiate surveillance capabilities on the exploited device.

Early campaigns (early 2019)

Shortly after Citizen Lab’s disclosure, Lookout researchers discovered app-based Android surveillance tooling, which was acquired in early 2019, that did not exploit the device. Instead they used a slightly modified version of “” to extract and run the “scotch.jar” payload responsible for performing surveillance activities. The names of both the native library file and the payload were identical to MOONSHINE, and many of the same indicators of compromise could be found in both implementations.Many of these early variants requested extensive permissions and appeared to be under development. However, some requiring fewer permissions introduced characteristics of the “Whisky” stage to the Scotch module, attempting to overwrite the same native library files in popular messaging apps like Facebook, QQ, or WeChat.

MOONSHINE examples Lookout examined looked to replace native library files from popular messaging apps.

2022 Uyghur-targeting campaigns

Since July 2022, Lookout researchers have discovered more than 50 unique samples of MOONSHINE that differ from the earlier variants. The rate at which new samples are deployed indicates these campaigns are ongoing. The majority of these samples are trojanized versions of popular social media platforms, like WhatsApp or Telegram, or trojanized versions of Muslim cultural apps, Uyghur-language tools, or prayer apps.

A subset of app icons used by recent samples of the MOONSHINE surveillance tool, which illustrates the different types of app it masquerades as.

Our MOONSHINE samples were acquired from multiple Uyghur-language communication channels, some boasting hundreds of members. Many of the apps shared within these channels were posted in response to requests for app suggestions, such as Android apps that provided offline map access. Occasionally, users would share an app with no context, but many attempted to legitimize their post with comments like, “This is the application I use,” or, “I have an app [that is] very convenient to use in Turkey. I don't know about other countries; try it.”

Telegram users publicly accuse certain channels or accounts of spreading malicious content.

We believe that some of the malware mentioned may be Telegram channels occasionally discuss surveillance apps that may have been shared through the channel as well as other Uyghur-language accounts that have been accused of being “controlled by Chinese state surveillance operators.” More commonly, though, users seem willing to download apps shared by others within the channel.


The source code for these new trojanized apps is nearly identical to that of the legitimate app they pretend to be, with the exception that it loads a native library, “” This native library functions similarly to the “” library in the 2020 sample of MOONSHINE. It extracts and loads the “scotch.jar” surveillance payload to a directory named “app_sikhywis_ca55200e” and acquires C2 details for retrieving secondary modules. C2 operations are performed via websocket at a domain and port acquired by decrypting an XOR-encrypted series of bytes using a key derived from the last 4 bytes of the “” file.

MOONSHINE’s native library decrypts and extracts the scotch app and loads it through a DexClassLoader.

The app-based MOONSHINE acquires the secondary modules, “bourbon.jar” and “icecube.jar,” mentioned in the Citizen Lab report. Newer variants developed in late 2022 introduce additional modules, “cpcom.jar” and “salt.jar.” All surveillance capabilities are implemented within these five modules.

MOONSHINE introduced two new modules in late 2022: cpcom.jar and salt.jar, which are downloaded to the same directory, app_sikhywis_ca55200e, as was previously encountered in earlier variants.

The specified C2 infrastructure is encrypted and stored in a SharedPreferences XML file named, “8B14B755-C161-4804-A62B-8776315E07CD.xml.” Additional infrastructure may be specified by the C2 and added to this file for use by the malware after it has been initialized. A decryption method called “deserialize” Base64 decodes the configuration string and uses a hard coded AES encryption key to decrypt the resulting value. The decrypted value is a GZIP formatted string, which is unzipped to return a JSON array that is used by the malware client.

The obfuscated JSON string used by MOONSHINE is retrieved from the SharedPreferences file and decrypted to retrieve the MOONSHINE C2 domain and port.

Decrypting the string returns a list of modules to be used by the scotch app, as well as the C2 domain and port for acquiring these modules and performing C2 operations.

A list of MOONSHINE’s modules with their creation dates and the specified C2 websocket is stored in an encrypted XML file in the app’s SharedPreferences directory.

Once the malware client has acquired the C2 infrastructure, it initiates a web socket and establishes a connection with the C2. The malware client collects and sends extensive details about the device, including network activity, whether the device is rooted and the user’s IP address.

MOONSHINE collects a significant amount of information from the compromised device and exfiltrates it to the C2 during the websocket setup.

Two parameters, “whisky_id” and “score,” are also transmitted to the C2 during the client’s initial connection. The “whisky_id” value is a unique identifier for the device based on device information and its SD card. The “score” parameter is a numerical representation of how vulnerable the device is to surveillance. A point value is assigned for each permission granted to the malware client.

The scotch app calculates a vulnerability “score” for the device targeted by MOONSHINE based on which permissions are accessible or granted to the malware.

While previous variants of the MOONSHINE client attempted to gain persistence and access to extensive permissions by exploiting other apps by replacing their native libraries, these latest samples neither request extensive permissions from the user upon installation nor do they attempt to replace the native library files in any messaging apps. The “score” parameter appears to be some kind of indicator to allow the threat actor to decide how to proceed with the targeted device. After establishing its connection with the C2, the client is able to receive commands from the server to perform a variety of functions, depending on the score generated for the device. The malware client is capable of:

  • Call recording
  • Contact collection
  • Retrieving files from a location specified by the C2
  • Collecting device location data
  • Exfiltrating SMS messages
  • Camera capture
  • Microphone recording
  • Establishing a SOCKS proxy
  • Collecting WeChat data from Tencent wcdb database files

Communications are sent over a secure websocket, and additionally encrypted before transmission using a custom method named “serialize()” similar to that of the one used to encrypt the SharedPreferences configuration file.

Lookout researchers intercepted communications between the MOONSHINE client and server using Frida.

In earlier variants of MOONSHINE, commands were structured as uppercase, underscore-separated descriptions of the surveillance feature in use: “GET_CALLLOG,” “DEV_INFO,” etc. The latest versions of MOONSHINE now use websocket “groups” to classify the kind of surveillance capability being reported or commanded, and a “command” to further specify the actions being taken with that feature. For example, the C2 may request the malware client to perform some function with the compromised device’s camera with “list” or “capture”. If the command “list” is received, the client sends a list of all cameras on the device to the C2. If “capture” is received, the malware begins recording with the device camera.


All MOONSHINE samples connect to administrator panels similar to those shown in the 2019 Citizen Lab report. These panels use domain names hosted by free dynamic DNS services. Unlike early panels, however, all recent panels are named “SCOTCH ADMIN” exclusively.

The login panels for the C2 infrastructure of MOONSHINE.

We were able to obtain the number of device IDs stored in the C2 server database, along with the unique whisky_id, the number of items exfiltrated from device contacts, call log, location, and SMS, and an alias if one was given to the device. A handful of these devices are assigned the alias “test.” Many have not been assigned aliases, while those that do follow one of the following formats: “\d-real”, “A-\d”, “t\d”, “t\d yyyy-mm-dd”

At the time of reporting, there are currently 635 devices logged across three “SCOTCH ADMIN” panels with timestamps indicating continued surveillance.


Previous reporting on campaigns of POISON CARP, also known as Evil Eye and Earth Empusa, has indicated a suspected link between the Chinese government and the threat actor. In their report from March 2021, Facebook found specific connections between two Android-targeted POISON CARP malware families, PluginPhantom and ActionSpy, and the Chinese software development companies Beijing Best United Technology Co., Ltd. (Best Lh) and Dalian 9Rush Technology Co., Ltd. (9Rush).

The 2022 MOONSHINE samples contain some details within the source code indicating the developers are likely Chinese speaking. These include specific checks for whether the victim device is using a Chinese telecom, and relying on the popular Chinese search engine Baidu and a hardcoded Chinese IP address, to check for network connectivity. Additionally, the server-side API includes documentation and inline comments written in simplified Chinese.

API documentation found on the MOONSHINE C2 servers is written in Simplified Chinese, indicating the developers are likely Chinese-speaking and based in Mainland China.

While Lookout researchers could not connect the malware client or infrastructure to a specific technology company, the malware client is a well-built and full-featured surveillance tool that would have likely required substantial resources. This seems to suggest that some kind of professional development company or collective was responsible for its production.

Indicators of Compromise

SHA1 of APKs































































Kristina Balaam

Staff Security Intelligence Engineer

Kristina is a Staff Security Intelligence Engineer at Lookout where she reverse engineers mobile malware. Prior to Lookout, she worked as an Application Security Engineer at Shopify focusing mostly on Android mobile security. Kristina graduated with a Bachelor of Computer Science from McGill University in 2012, and is currently pursuing a MSc. in Information Security Engineering from the SANS Institute of Technology. She blogs about computer security on Instagram, Twitter and Youtube under the handle @chmodxx.”

Alemdar Islamoglu

Staff Security Intelligence Researcher

Alemdar Islamoglu is a security intelligence engineer at Lookout who focuses on mobile threats and related threat actors. He has prior experience in reverse engineering, pentesting, and security software development. He also enjoys organizing and participating in capture the flag competitions when he can find the time.

Justin Albrecht

Global Director, Mobile Threat Intelligence

Justin Albrecht is the Global Director of Mobile Threat Intelligence. He works with his team to uncover new mobile threats, track actors and targets, and provide accurate research and reporting on these issues. Justin has over 20 years of experience tracking cyber threat actors, terrorists, and intelligence activities in both the intelligence community, and more recently as a member of Lookout’s Threat Intelligence Team.

Ruohan Xiong

Senior Security Intelligence Researcher

Ruohan is a security researcher at Lookout whose work focuses on reverse engineering mobile malware and building threat detections. Prior to Lookout he worked with Citizen Lab, where his research focus was on censorship and information controls on social media platforms. Ruohan has also worked as a threat intelligence analyst at a telecommunications company. Ruohan graduated from the University of Toronto with a bachelor's degree in electrical and computer engineering.

Platform(s) Affected
Entry Type
In-Depth Analysis
Discovered By
Threat Type
Platform(s) Affected
In-Depth Analysis
A person with a prosthetic arm working on a computer

Identify and Prevent Threats with Lookout Threat Advisory

Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.

Lookout Threat Advisory offers advanced mobile threat intelligence, leveraging millions of devices in our global network and top security research insights to protect your organization.