Evil Eye
Evil Eye is the name Volexity uses for a state-sponsored, China-nexus threat actor involved in surveillance and exploitation campaigns targeting Uyghur communities. Volexity identified Evil Eye as the most notable actor in its reporting on large-scale attacks against Uyghurs and assessed it was likely the same group behind iOS implant exploitation previously described by Google Project Zero. The actor was observed compromising Uyghur websites and using malicious iframes plus the open-source IRONSQUIRREL framework to deliver WebKit-based iOS exploit chains. In activity observed from January to March 2020, the exploit chain targeted iOS 12.3, 12.3.1, and 12.3.2 and installed an iOS implant Volexity calls INSOMNIA. The exploit flow used User-Agent filtering, staged JavaScript, and ultimately executed a Mach-O payload that wrote the implant to /tmp/updateserver and ran it as root with elevated entitlements. Volexity also reported that Evil Eye had previously been observed launching an exploit intended to install a malware implant on Android phones. The updated INSOMNIA implant used HTTPS for C2 with embedded-certificate validation, basic string obfuscation, and targeted data from applications including Signal, ProtonMail, and WeChat. Following public reporting in September 2019, Evil Eye activity temporarily decreased and included removal of malicious code from compromised websites and takedown of C2 infrastructure, before resuming in early 2020.
Know when an actor pivots toward your sector
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Targeting
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Who they target
Sectors the actor has been observed targeting.
- Non-Governmental Organizations
Tradecraft
23 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
Associated malware families
3 malware families attributed to this actor across reporting.
Observables
50 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A named espionage campaign reported by Volexity targeting Uyghurs through compromised websites and Android malware. The content links it to POISON CARP through shared infrastructure and likely common or coordinated operators.
Targeting Uyghur Muslims in Xinjiang with iOS spyware implants for surveillance and intelligence gathering.
The version that knows your environment.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.