POISON CARP

POISON CARP is a China-linked threat actor tracked by Citizen Lab and others, associated with cyber espionage and surveillance activity targeting Tibetan groups and, through related activity, Uyghur communities. Citizen Lab and TibCERT reported that between November 2018 and May 2019, POISON CARP targeted senior members of Tibetan organizations, including the Private Office of His Holiness the Dalai Lama, the Central Tibetan Administration, the Tibetan Parliament, and Tibetan human rights groups, using tailored WhatsApp social engineering by fake personas posing as NGO workers, journalists, volunteers, and tourists. The campaign used one-click mobile browser exploitation against both iOS and Android devices and is described as the first documented use of one-click mobile exploits against Tibetan groups. In that campaign, POISON CARP used an iOS exploit chain and spyware implant, plus an Android exploit-and-spyware framework named MOONSHINE. The iOS activity used the domain msap[.]services with unique short links, exploit delivery encrypted with ECC Diffie-Hellman, and an implant that exfiltrated device and application data including location, contacts, call history, SMS history, and data from apps such as Viber, Voxer, Telegraph, Gmail, Twitter, QQMail, and WhatsApp. The Android MOONSHINE framework used multiple Chrome exploits mapped to browser versions, including exploits associated with CVE-2016-1646, CVE-2016-5198, CVE-2017-5030, CVE-2017-5070, CVE-2018-6065, CVE-2018-17463, CVE-2018-17480, and CVE-2019-5825. MOONSHINE attempted to force malicious URLs to open inside the Facebook app’s built-in Chrome-based browser, downloaded a loader into Facebook or Facebook Messenger directories, and achieved persistence by overwriting shared library files in legitimate apps. Its final Android implant, called Scotch, communicated over WebSocket on port 10011 and downloaded plugins including Bourbon.jar and IceCube.jar to enable surveillance functions such as SMS, contacts, call logs, GPS location, camera images, microphone audio, screenshots, notifications, file upload, and shell command execution. The content states that POISON CARP also used Android browser exploits from a variety of sources, including publicly released exploit material, and in one case used a working Exodus Intelligence exploit for a Google Chrome vulnerability that had been fixed in source but whose patch had not yet been distributed to users. On May 31, 2019, a Tibetan Parliament member received a WhatsApp message containing both a malicious Google OAuth application link for Energy Mail and a MOONSHINE link, tying OAuth phishing to the same operator. Researchers linked POISON CARP to campaigns previously reported by Google Project Zero and Volexity targeting the Uyghur community through shared iOS exploits, similar spyware, and the domain msap[.]services. Citizen Lab and TibCERT assessed that POISON CARP and the related Uyghur-focused campaigns were likely conducted by the same operator or a closely coordinated group interested in ethnic minority groups sensitive to China’s security interests. Lookout’s 2022 reporting described MOONSHINE as Android surveillanceware used by the Chinese APT POISON CARP to target Tibetans and Uyghurs. The content also states that Citizen Lab tracks I-Soon as POISON CARP, and that leaked I-Soon data highlighted how cost-effective this contractor model has been for the Chinese government. Unit 42 reported infrastructure overlap between leaked I-Soon materials and POISON CARP activity, including an IP address appearing in I-Soon conversations that was linked to phishing infrastructure associated with the POISON CARP campaign. No additional aliases or sub-groups beyond POISON CARP are directly provided in the content.