EarthEmpusa

Earth Empusa, also known as Evil Eye, is a China-linked cyber-espionage threat actor. Facebook reported disrupting the group for abusing its platform to distribute malicious links, deliver malware, and attempt account compromise across the internet. The operation primarily targeted activists, journalists, and dissidents, predominantly Uyghurs from Xinjiang living abroad, including targets in Turkey, Kazakhstan, the United States, Syria, Australia, and Canada. According to the provided content, the actor used fake Facebook accounts posing as journalists, students, human rights advocates, or Uyghur community members to socially engineer targets into clicking malicious links. It also conducted watering-hole activity through compromised legitimate websites and look-alike domains impersonating popular Uyghur and Turkish news sites. The group used selective targeting checks, including IP address, operating system, browser, country, and language settings, before delivering iOS malware. The actor distributed trojanized Uyghur-themed Android applications, including keyboard, prayer, and dictionary apps, through fake third-party app-store sites. Reported malware families associated with the activity include the Android malware ActionSpy and PluginPhantom, and the iOS malware INSOMNIA. Facebook stated that some of the Android tooling used in the operation was developed by Beijing Best United Technology Co., Ltd. and Dalian 9Rush Technology Co., Ltd. Industry reporting referenced in the content associates related activity with the names Earth Empusa, Evil Eye, and PoisonCarp; however, Facebook assessed that the disrupted activity aligns closely with Earth Empusa/Evil Eye and that PoisonCarp is likely a separate cluster despite some overlap in TTPs.