PluginPhantom
PluginPhantom is an Android malware family used in a China-linked cyber-espionage operation that Facebook tracked as Earth Empusa, also known as Evil Eye. Facebook reported that the actor targeted activists, journalists, and dissidents, predominantly Uyghurs from Xinjiang living abroad, with target geographies including Turkey, Kazakhstan, the United States, Syria, Australia, and Canada. PluginPhantom was distributed via trojanized Uyghur-themed Android applications, including apps presented as a keyboard app, prayer app, and dictionary app, and was hosted on fake third-party Android app store websites. Facebook also noted specific connections between PluginPhantom and another Android malware family, ActionSpy, and described overlap in broader reporting with activity sometimes tracked as PoisonCarp, while assessing the disrupted activity aligned most closely with Earth Empusa/Evil Eye.
High-confidence infrastructure and indicators mentioned for PluginPhantom include malware-hosting domains misran[.]org and apkprue[.]info, and MD5 hashes 10c1f38305792a0f925e8a2cf9482ce3, 3c0a20f0726032ad816e670971509b2d, 01fe88068e43c2276f7d8bbf54824f0f, fd8da30dd9e45bd31af79a9652d50ece, 10748ca7648d26316b4857b6139ca93d, a5199e6f1904f5a532a562fbb9d5abc6, and 670a389a93b82ccf198dd7789a865096. Facebook further reported that some of the Android tooling used in the operation was developed by Beijing Best United Technology Co., Ltd. and Dalian 9Rush Technology Co., Ltd. The provided content does not describe PluginPhantom’s internal technical capabilities beyond its use as Android malware embedded in trojanized apps.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
"...trojanized ... applications... with two Android malware strains — ActionSpy or PluginPhantom."
"...trojanized ... applications... with two Android malware strains — ActionSpy or PluginPhantom."
Techniques & procedures
2 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique“set up malicious websites that used look-alike domains for popular Uyghur and Turkish news sites.”
Initial Access
1 technique“Social engineering: This group used fake accounts on Facebook to create fictitious personas posing as journalists, students, human rights advocates or members of the Uyghur community to build trust with people they targeted and trick them into clicking on malicious links.”
IOCs tracked for this family
11 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Android-targeted malware family attributed in prior reporting to POISON CARP, referenced here for attribution context (links to Chinese development companies).
Android malware delivered through trojanized apps (e.g., keyboard/prayer/dictionary) hosted on attacker-controlled fake app stores; used for surveillance against targeted communities.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.