MOONSHINE

MOONSHINE is an Android spyware and exploit-and-malware kit first publicly reported by Citizen Lab in 2019 in campaigns targeting Tibetan groups. It has also been described in joint government advisories as spyware embedded in legitimate-looking Android applications and used against Uyghur, Tibetan, and Taiwanese communities, as well as related civil society organizations. Distribution has included trojanized apps, Telegram channels, WhatsApp-delivered links, and culturally tailored lures such as an Uyghur-language Audio Quran app. Malicious apps have impersonated messaging, prayer, PDF, and utility applications.

The malware has extensive surveillance capabilities. Reporting cited in the content states MOONSHINE can access microphones, cameras, messages/chats, photos, and location data, enabling real-time monitoring. Citizen Lab described the Android framework as delivering a modular implant called Scotch, which communicated with command-and-control over WebSocket on port 10011 and downloaded plugin packages including Bourbon.jar and IceCube.jar. These plugins enabled collection of SMS messages, contacts, call logs, GPS location, camera images, microphone audio, screenshots, notifications, file upload, and shell command execution. Additional reporting states MOONSHINE management interfaces exposed capabilities such as file exfiltration, live audio capture, and screen recording, and that victim devices passed a score value to C2 servers based on granted permissions.

In the 2018-2019 Tibetan targeting documented by Citizen Lab and TibCERT, MOONSHINE used multiple Android Chrome exploits mapped to browser versions, including exploits associated with CVE-2016-1646, CVE-2016-5198, CVE-2017-5030, CVE-2017-5070, CVE-2018-6065, CVE-2018-17463, CVE-2018-17480, and CVE-2019-5825. The exploit chain attempted to force malicious URLs to open inside the Facebook app’s built-in Chrome-based webview, downloaded a loader into Facebook or Facebook Messenger directories, and achieved persistence by overwriting shared library files in legitimate apps. Citizen Lab named the operator behind that campaign POISON CARP and assessed overlap with Uyghur-focused campaigns.

The content also links MOONSHINE to broader China-aligned surveillance activity. Joint advisories from the UK NCSC and partners from Australia, Canada, Germany, New Zealand, and the United States describe MOONSHINE alongside BadBazaar as part of an ongoing digital surveillance campaign aimed at groups perceived by the Chinese state as politically sensitive. Separate reporting cited in the content associates MOONSHINE or related tooling with Earth Minotaur and notes infrastructure overlap with UPSEC, identified by Intelligence Online as Sichuan Dianke Network Security Technology Co., Ltd. Some content also states that APT15 has been reported leveraging MOONSHINE app-based Android surveillance tooling. Trend Micro and Cisco Talos reporting referenced in the content further connect the MOONSHINE exploit kit with delivery of DarkNimbus/DarkNights, while noting MOONSHINE and DarkNimbus are distinct malware families despite code overlap.

High-confidence infrastructure and behavioral details mentioned in the content include MOONSHINE management panels using titles such as SCOTCH ADMIN or LOGIN; virtually hosted management interfaces; early API documentation containing Mandarin API names; exploit-kit URLs using port 5000 paths such as /web/info and /dev/loader; and C2 communications over WebSocket port 10011. The content also notes that MOONSHINE samples may request permissions that appear relevant to app functionality while using them to collect device data.