GLITTER CARP

GLITTER CARP is a China-aligned phishing cluster identified by Citizen Lab and linked to a broader campaign aligned with Chinese government intelligence priorities. Citizen Lab assessed with high confidence that the attacks were carried out at the request of the Chinese government, and with medium confidence that commercial contractors in China’s Military-Civil Fusion ecosystem may have conducted the campaign. The cluster has been active since at least April 2025. GLITTER CARP has targeted Uyghur, Tibetan, Taiwanese, and Hong Kong diaspora activists, as well as investigative journalists and civil society organizations. Reported targets include the International Consortium of Investigative Journalists (ICIJ), journalist Scilla Alecci, the World Uyghur Congress, the Uyghur Rights Advocacy Project, the Uyghur Human Rights Project, Tibetan activists including the Director of TibCERT, Taiwanese media organization Watchout, Hong Kong activist Carmen Lau, and, per Proofpoint reporting, the Taiwanese semiconductor industry. The group conducts broad and persistent phishing and digital impersonation operations focused on obtaining email credentials or third-party access. Observed tradecraft includes impersonation emails mimicking known individuals, journalists, ICIJ-associated identities, and technology company security alerts; credential-harvesting pages; fake login pages; fake security alerts; use of 1x1 tracking pixels to confirm email opens and collect limited device and approximate location telemetry; and reuse of infrastructure, domains, and impersonated personas across campaigns. Citizen Lab tied more than 100 domains to GLITTER CARP over a nine-month period. The cluster also used WhatsApp outreach in at least one case. GLITTER CARP has been linked to overlapping infrastructure and activity previously documented by Proofpoint as UNK_SparkyCarp. Citizen Lab also observed concurrent targeting using an adversary-in-the-middle phishing kit associated with GLITTER CARP and UNK_SparkyCarp. In malware delivery activity associated with this cluster, an email from an Amelia Chavez-themed account delivered a remotely hosted file that would install a custom backdoor if executed; Proofpoint tracks this malware as HealthKick, and Volexity tracks the same or related malware as an early variant of GOVERSHELL. Known aliases and related tracking names mentioned in the reporting include UNK_SparkyCarp; related malware names include HealthKick and GOVERSHELL. GLITTER CARP was reported alongside a separate but related China-affiliated cluster, SEQUIN CARP, as part of a broader pattern blending state espionage with digital transnational repression.