In March 2025, a new cyberattack targeted senior members of the World Uyghur Congress (WUC). The attackers deployed Windows-based malware designed to spy on their activities. This campaign marks another sharp escalation in digital threats faced by Uyghur communities abroad.
The attackers used a spear-phishing strategy built around a trojanized tool called UyghurEdit++. Originally an open-source word processor for the Uyghur language, the tool was turned into a vehicle for malware. While the spyware itself was not highly advanced, the way it was delivered showed a clear understanding of the target group.
Citizen Lab, a digital rights research center at the University of Toronto, traced this campaign back to May 2024. Their investigation started after several WUC leaders received alerts from Google, warning of state-backed intrusion attempts. Many of these warnings came on March 5, 2025.
The phishing emails appeared to come from trusted contacts at partner organizations. They contained Google Drive links that led users to download password-protected RAR files. Inside those archives hid a compromised version of UyghurEdit++. Once installed, the malware collected system information and sent it to a remote server at “tengri.ooguy[.]com.”
Beyond basic spying, the malware could download extra malicious plugins and run commands on infected machines. This expanded the reach of the attack far beyond initial compromise.
Citizen Lab believes this campaign is part of a broader pattern of digital transnational repression against Uyghurs. Although the exact group behind the attack remains unknown, the techniques and focus suggest links to Chinese government interests.
According to Citizen Lab, China’s digital repression aims to isolate Uyghurs from their homeland, control information flows, and block any influence they might have on global opinions about human rights abuses in Xinjiang.
This latest campaign is a harsh reminder: even in exile, Uyghur communities remain under digital siege.
