A coalition of agencies from the U.K., Australia, Canada, Germany, New Zealand, and the United States published advisories identifying the mobile spyware families BadBazaar and Moonshine in dozens of legitimate-looking apps. The malware was disguised as Android prayer apps, messaging tools, PDF readers, and utility apps, and one iOS app, TibetOne, was also named. Officials said the spyware targeted civil society groups and people connected to issues viewed by the Chinese state as sensitive, including Uyghur, Tibetan, Taiwanese, Hong Kong democracy, and Falun Gong communities.
Technical analysis from the Australian Cyber Security Centre said Moonshine was distributed through trojanized apps, social media, messaging platforms, and in some cases official app stores, while BadBazaar included Android and iOS variants such as BadSolar and BadSignal. The spyware can collect files, chats, photos, location data, audio, and device information, giving operators broad surveillance access to cameras and microphones. Investigators also reported infrastructure overlaps tied to social-engineering assets, reused registration details, SSL certificate artifacts, and activity previously associated with TA413, APT5, APT14, and infrastructure linked to UPSEC.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
On 2025-04-09, the Australian Cyber Security Centre released technical analysis describing Moonshine and BadBazaar surveillance functions, including access to files, location, audio, photos, chats, cameras, microphones, and device information. The analysis also documented infrastructure overlaps and artifacts linking activity to clusters previously associated with UPSEC, TA413, and characteristics seen in earlier APT5 and APT14 investigations.
On 2025-04-09, government agencies from the U.K., Australia, Canada, Germany, New Zealand, and the United States published coordinated advisories on the BadBazaar and Moonshine mobile spyware families. The advisories said the spyware was embedded in legitimate-looking Android apps, and in at least one identified iOS app, to surveil people linked to issues viewed by the Chinese state as sensitive.
Before the government advisories, the BadBazaar and Moonshine spyware families had already been documented by security researchers including Lookout, Trend Micro, Volexity, and Citizen Lab. Their reporting established that the malware was distributed through trojanized mobile apps targeting Tibetan, Uyghur, Taiwanese, and related communities.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.