{ "type": "URL", "indicator": "https://tengri.ooguy.com/gheyret/Update", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://tengri.ooguy.com/gheyret/Update", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4063726055, "indicator": "https://tengri.ooguy.com/gheyret/Update", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 5, "pulses": [ { "id": "680f07377e6aaa99a9dafcc4", "name": "Weaponized Words: Uyghur Language Software Hijacked to Deliver Malware", "description": "This analysis details a spearphishing campaign targeting senior members of the World Uyghur Congress (WUC) in March 2025. The attackers used a trojanized version of a legitimate Uyghur language text editor to deliver Windows-based malware for remote surveillance. While not technically advanced, the malware delivery was well-customized to reach the Uyghur community. This incident is part of a broader pattern of digital transnational repression against Uyghur diaspora by actors likely aligned with the Chinese government. The malware profiled systems, sent information to remote servers, and could load additional malicious plugins. The campaign demonstrates the ongoing digital threats facing exiled Uyghur communities and the exploitation of software meant to support marginalized cultures.", "modified": "2025-04-28T08:26:07.337000", "created": "2025-04-28T04:42:31.858000", "tags": [ "gheyretdetector backdoor", "remote surveillance", "uyghureditpp trojan", "digital transnational repression", "uyghur", "diaspora targeting", "spearphishing", "world uyghur congress", "trojanized software" ], "references": [ "https://citizenlab.ca/2025/04/uyghur-language-software-hijacked-to-deliver-malware" ], "public": 1, "adversary": "", "targeted_countries": [ "China" ], "malware_families": [ { "id": "UyghurEditPP trojan", "display_name": "UyghurEditPP trojan", "target": null }, { "id": "GheyretDetector backdoor", "display_name": "GheyretDetector backdoor", "target": null } ], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Government", "NGO" ], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4, "URL": 1, "hostname": 3 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 386858, "modified_text": "400 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6842284d6a04a6c334dc13ef", "name": "InQuest - 05-06-2025", "description": "", "modified": "2025-07-05T23:04:57.997000", "created": "2025-06-05T23:29:17.072000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 247, "URL": 881, "domain": 522, "hostname": 127, "FileHash-SHA1": 113, "FileHash-MD5": 47 }, "indicator_count": 1937, "is_author": false, "is_subscribing": null, "subscriber_count": 1623, "modified_text": "331 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68250e8def3c30da436ac117", "name": "AS400519 PLAYIT-GG", "description": "", "modified": "2025-06-13T21:03:35.772000", "created": "2025-05-14T21:43:41.937000", "tags": [ "stormkitty", "cryptbot" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "domain": 61, "hostname": 76, "URL": 80, "FileHash-SHA256": 26 }, "indicator_count": 245, "is_author": false, "is_subscribing": null, "subscriber_count": 184, "modified_text": "353 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68132ffccaecea9b8666986d", "name": "Weaponized Words: Uyghur Language Software Hijacked to Deliver Malware - The Citizen Lab", "description": "", "modified": "2025-05-31T08:05:19.374000", "created": "2025-05-01T08:25:32.102000", "tags": [ "malware", "china", "spearphishing", "uyghur", "uyghurs", "xinjiang", "google", "citizen lab", "march", "uyghur language", "uyghur diaspora", "world uyghur", "june", "april", "february", "virustotal", "media", "zero", "android", "munich", "assembly", "service", "download", "final", "major" ], "references": [ "https://citizenlab.ca/2025/04/uyghur-language-software-hijacked-to-deliver-malware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4, "URL": 1, "domain": 5, "hostname": 3 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "367 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68133000d12a8e48b63a33d9", "name": "Weaponized Words: Uyghur Language Software Hijacked to Deliver Malware - The Citizen Lab", "description": "", "modified": "2025-05-31T08:05:19.374000", "created": "2025-05-01T08:25:36.277000", "tags": [ "malware", "china", "spearphishing", "uyghur", "uyghurs", "xinjiang", "google", "citizen lab", "march", "uyghur language", "uyghur diaspora", "world uyghur", "june", "april", "february", "virustotal", "media", "zero", "android", "munich", "assembly", "service", "download", "final", "major" ], "references": [ "https://citizenlab.ca/2025/04/uyghur-language-software-hijacked-to-deliver-malware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4, "URL": 1, "domain": 5, "hostname": 3 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "367 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://labs.inquest.net/iocdb", "https://citizenlab.ca/2025/04/uyghur-language-software-hijacked-to-deliver-malware/", "https://citizenlab.ca/2025/04/uyghur-language-software-hijacked-to-deliver-malware" ], "related": { "alienvault": { "adversary": [], "malware_families": [ "Uyghureditpp trojan", "Gheyretdetector backdoor" ], "industries": [ "Ngo", "Government" ], "unique_indicators": 8 }, "other": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 2332 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/ooguy.com", "whois": "http://whois.domaintools.com/ooguy.com", "domain": "ooguy.com", "hostname": "tengri.ooguy.com" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 5, "pulses": [ { "id": "680f07377e6aaa99a9dafcc4", "name": "Weaponized Words: Uyghur Language Software Hijacked to Deliver Malware", "description": "This analysis details a spearphishing campaign targeting senior members of the World Uyghur Congress (WUC) in March 2025. The attackers used a trojanized version of a legitimate Uyghur language text editor to deliver Windows-based malware for remote surveillance. While not technically advanced, the malware delivery was well-customized to reach the Uyghur community. This incident is part of a broader pattern of digital transnational repression against Uyghur diaspora by actors likely aligned with the Chinese government. The malware profiled systems, sent information to remote servers, and could load additional malicious plugins. The campaign demonstrates the ongoing digital threats facing exiled Uyghur communities and the exploitation of software meant to support marginalized cultures.", "modified": "2025-04-28T08:26:07.337000", "created": "2025-04-28T04:42:31.858000", "tags": [ "gheyretdetector backdoor", "remote surveillance", "uyghureditpp trojan", "digital transnational repression", "uyghur", "diaspora targeting", "spearphishing", "world uyghur congress", "trojanized software" ], "references": [ "https://citizenlab.ca/2025/04/uyghur-language-software-hijacked-to-deliver-malware" ], "public": 1, "adversary": "", "targeted_countries": [ "China" ], "malware_families": [ { "id": "UyghurEditPP trojan", "display_name": "UyghurEditPP trojan", "target": null }, { "id": "GheyretDetector backdoor", "display_name": "GheyretDetector backdoor", "target": null } ], "attack_ids": [ { "id": "T1033", "name": "System Owner/User Discovery", "display_name": "T1033 - System Owner/User Discovery" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1053", "name": "Scheduled Task/Job", "display_name": "T1053 - Scheduled Task/Job" }, { "id": "T1016", "name": "System Network Configuration Discovery", "display_name": "T1016 - System Network Configuration Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1571", "name": "Non-Standard Port", "display_name": "T1571 - Non-Standard Port" }, { "id": "T1095", "name": "Non-Application Layer Protocol", "display_name": "T1095 - Non-Application Layer Protocol" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Government", "NGO" ], "TLP": "white", "cloned_from": null, "export_count": 26, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4, "URL": 1, "hostname": 3 }, "indicator_count": 8, "is_author": false, "is_subscribing": null, "subscriber_count": 386858, "modified_text": "400 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6842284d6a04a6c334dc13ef", "name": "InQuest - 05-06-2025", "description": "", "modified": "2025-07-05T23:04:57.997000", "created": "2025-06-05T23:29:17.072000", "tags": [], "references": [ "https://labs.inquest.net/iocdb" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "green", "cloned_from": null, "export_count": 24, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunterAutoFeed", "id": "182496", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_182496/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 247, "URL": 881, "domain": 522, "hostname": 127, "FileHash-SHA1": 113, "FileHash-MD5": 47 }, "indicator_count": 1937, "is_author": false, "is_subscribing": null, "subscriber_count": 1623, "modified_text": "331 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68250e8def3c30da436ac117", "name": "AS400519 PLAYIT-GG", "description": "", "modified": "2025-06-13T21:03:35.772000", "created": "2025-05-14T21:43:41.937000", "tags": [ "stormkitty", "cryptbot" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 16, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "skocherhan", "id": "249290", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_249290/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "domain": 61, "hostname": 76, "URL": 80, "FileHash-SHA256": 26 }, "indicator_count": 245, "is_author": false, "is_subscribing": null, "subscriber_count": 184, "modified_text": "353 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68132ffccaecea9b8666986d", "name": "Weaponized Words: Uyghur Language Software Hijacked to Deliver Malware - The Citizen Lab", "description": "", "modified": "2025-05-31T08:05:19.374000", "created": "2025-05-01T08:25:32.102000", "tags": [ "malware", "china", "spearphishing", "uyghur", "uyghurs", "xinjiang", "google", "citizen lab", "march", "uyghur language", "uyghur diaspora", "world uyghur", "june", "april", "february", "virustotal", "media", "zero", "android", "munich", "assembly", "service", "download", "final", "major" ], "references": [ "https://citizenlab.ca/2025/04/uyghur-language-software-hijacked-to-deliver-malware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4, "URL": 1, "domain": 5, "hostname": 3 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "367 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "68133000d12a8e48b63a33d9", "name": "Weaponized Words: Uyghur Language Software Hijacked to Deliver Malware - The Citizen Lab", "description": "", "modified": "2025-05-31T08:05:19.374000", "created": "2025-05-01T08:25:36.277000", "tags": [ "malware", "china", "spearphishing", "uyghur", "uyghurs", "xinjiang", "google", "citizen lab", "march", "uyghur language", "uyghur diaspora", "world uyghur", "june", "april", "february", "virustotal", "media", "zero", "android", "munich", "assembly", "service", "download", "final", "major" ], "references": [ "https://citizenlab.ca/2025/04/uyghur-language-software-hijacked-to-deliver-malware/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "CyberHunter_NL", "id": "171283", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_171283/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-SHA256": 4, "URL": 1, "domain": 5, "hostname": 3 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 862, "modified_text": "367 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://tengri.ooguy.com/gheyret/Update", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://tengri.ooguy.com/gheyret/Update", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780394561.2501502 }