This year marks the 25th anniversary of UN Security Council Resolution 1325, a milestone recognizing women’s essential roles in peacemaking, conflict prevention, and post-conflict recovery. Yet, as the world celebrates this legacy, new realities challenge its celebration.

Digital technologies, once seen as tools for empowerment, have become instruments of surveillance, disinformation, and harassment, used by patriarchal and authoritarian actors to silence women human rights defenders and peacebuilders. Digital threats such as the hacking of devices, the exposure of private information and online abuse expand the spectrum of violence against women, creating new forms of insecurity. Even in exile, women with ties to authoritarian countries face gender-based digital transnational repression (GDTR) that aims to intimidate and silence them across borders.

This webinar brings together Citizen Lab researchers with policy advisors, Women, Peace and Security (WPS) experts, and human rights defenders to reflect on 25 years of the WPS agenda in the age of digital repression. The discussion will explore how gender, technology, and authoritarianism intersect to shape women’s participation in peace and security, and how targets of gendered digital attacks and feminist movements are building resilience and reimagining women’s digital security for the next 25 years.

Join us for a timely conversation on how digital repression and surveillance are reshaping women’s participation in peacebuilding and the Women, Peace and Security agenda.

RSVP TO ATTEND

Meet the Speakers

KEYNOTE

Lara Scarpitta (she/her) is the OSCE senior Advisor on Gender Issues and Head of the Gender Issues Programme in the Office of the Secretary General; Senior Advisor and former Political Advisor on Peace, Mediation and Gender at the EU Delegation to the United Nations in Geneva.

MODERATOR

Urooj Mian, MSc., LL.M (she/her) is the CEO at Sustainable Human Empowerment (SHE) Associates. She holds a Master in Law (LL.M) in International Crime and Justice from the United Nations Interregional Crime Research Institute (UNICRI) and University of Torino, a Master in Social Science (M.Sc) in Peace and Conflict Research, from Uppsala University in Sweden, and a Bachelor of Public Affairs in Policy Management (B.PAPM) specializing in Human Rights and Law from Carleton University. She is respected as a gender, peace and security expert internationally and regularly works with human rights defenders.  She holds a combination of experience as a life-long activist, a policy-maker, and a founding executive director of a national advocacy-focussed not-for-profit forwarding the Women Peace and Security agenda. Urooj is currently the CEO at Sustainable Human Empowerment (SHE) Associates. A boutique consulting firm headquartered in Canada with a mission to empower sustainable impact and enable transformative change in the areas of gender equality, peace and justice worldwide.

PANELLISTS

Noura Aljizawi (she/her) is a senior researcher at the Citizen Lab. Her research focuses on digital authoritarianism, disinformation, and digital transnational repression, informed by her background in human rights activism during the Syrian uprising. Aljizawi holds a Master’s degree in Global Affairs from the University of Toronto and has been recognized for her work in online safety and digital security.

Marcus Michaelsen (he/him) is a senior researcher at the Citizen Lab focusing on digital threats against exiles and diaspora communities. Previously, he was a senior post-doctoral researcher in the research group on Law, Science, Technology and Society at Vrije Universiteit Brussel. He has also held a senior information controls fellowship with the Open Technology Fund, and has worked as a lecturer and postdoc researcher in the Political Science Department of the University of Amsterdam. He holds a PhD in Media and Communication Studies from the University of Erfurt in Germany.

Siena Anstis (she/her) is a senior legal advisor at the Citizen Lab. Prior to joining Citizen Lab, she worked as a litigation associate at Morrison & Foerster in New York City and clerked for the Hon. Justice Cromwell at the Supreme Court of Canada and at the Court of Appeal for Ontario. Anstis holds a B.A. in Journalism and Anthropology from Concordia University, a Bachelor of Laws/Bachelor of Civil Law from McGill University, and a Master of Laws from the University of Cambridge.

Natalia Arno (she/her) is the president and founder of Free Russia Foundation. She is a prominent fighter for the advancement of democracy, human rights, and freedom. From 2004 to 2014, Ms. Arno worked for the International Republican Institute’s (IRI) Russia office. For her work in support of human rights and civil society in Russia, in 2012, Ms. Arno was given an ultimatum by Putin’s security services— to leave her homeland in 48 hours or face 20 years in prison on treason charges. Ms. Arno resolved to continue her fight and, in 2014, she created Free Russia Foundation (FRF) to serve as a platform for pro-democracy Russians. FRF provides support to civil societies of Russia and Belarus and has programs to assist Ukraine. FRF is a powerful global movement with centers in Washington, DC and Brussels; Kyiv, Ukraine; Berlin, Germany; Vilnius, Lithuania and Paris, France.

Sreshtha Das (they/them) is a queer disabled activist and works as a Gender Advisor/Researcher at Amnesty International. At Amnesty they developed the ‘Make It Safe Online for women, girls and LGBTI people’ project, which looks at technology-facilitated gender-based violence (TfGBV) through an intersectional and decolonial lens in different country contexts. Their work has largely been at the intersection of gender, sexuality, SRHR, militarisation and racial justice with various marginalised groups, using a structural and systemic analysis to holistically address social justice issues. 

xeenarh Mohammed (she/her) is a global leader at the intersection of technology, human rights, and governance, with over a decade of experience advancing equity and accountability in digital spaces. She currently serves as Co-Lead of the Digital Defenders Partnership, where she oversees global strategy and operations supporting human rights defenders across Africa, Asia, Latin America, and Europe.

About UNSCR 1325

The United Nations Security Council (UNSC) adopted resolution (S/RES/1325) on women, peace and security on October 31, 2000. UNSCR 1325 calls for women’s meaningful participation in peace and security processes; however, 25 years later, the world faces new and complex realities that challenge the spirit of this resolution. Digital technologies have introduced new forms of communication and alternative public spaces. They have also become tools of surveillance, control, harassment, and violence in the hands of patriarchal, authoritarian, and militarized powers. 

The widespread use of mercenary spyware, targeted digital surveillance, online harassment, and disinformation campaigns has created an environment in which women journalists, human rights defenders, and peacemakers are systematically targeted. These technologies enable state and non-state actors to extend gender-based violence beyond physical spaces and into the digital sphere. Even when women are in exile, digital technology enables harmful actors to threaten and silence women from afar.

While the international community celebrates the progress made on the WPS agenda, women who engage in peacebuilding and human rights work still face multi-layered forms of violence that are simultaneously gendered, political, and technological.This webinar situates these realities within an intersectional feminist framework, recognizing that women from marginalized communities, including those defined by race, ethnicity, sexuality, class, religion, or migration status, experience compounded forms of exclusion and vulnerability. Understanding how these intersecting systems of power operate in digital environments is essential to advancing an inclusive and transformative WPS agenda for the next 25 years.

Over the past decade, the Citizen Lab has published numerous reports examining transnational repression (TNR) across the globe, focusing specifically on its digital forms. 

In response to increasing accounts of foreign governments reaching across borders to harass and silence people in the United Kingdom, the UK’s Joint Committee on Human Rights launched an inquiry into transnational repression.

The Citizen Lab submitted written evidence to the inquiry that draws over ten years of research documenting and examining the methods, impacts, and geo-political landscape of TNR. 

Our submission describes TNR’s impact on victims, identifies the biggest perpetrators of TNR in the UK, urges the British government to adopt a legal definition of TNR, and provides policy suggestions to better protect overseas dissidents from TNR.

Read the report from the UK Joint Committee on Human Rights.

Read more in the Georgetown Journal of International Affairs.

Read the interview.

In the piece, Deibert focuses on the Leaders’ Statement on countering transnational repression that was put forward after the G7 summit last month in Alberta. 

Transnational repression occurs when authoritarian governments reach across borders to silence and harass political dissidents. Citizen Lab researchers have been investigating and writing about transnational repression and the abuse of spyware for more than a decade.

“As the host of the G7, Canada should be applauded for helping organize this joint statement. But it’s also important to be frank in acknowledging just how far Canada has to go to meet its own commitments – or, to put it less mildly, how much its own practices are currently at odds with those commitments,” says Deibert.

Read the op-ed here.

• In March 2025, senior members of the World Uyghur Congress (WUC) living in exile were targeted with a spearphishing campaign aimed at delivering Windows-based malware capable of conducting remote surveillance against its targets. 
• The malware was delivered through a trojanized version of a legitimate open source word processing and spell check tool developed to support the use of the Uyghur language. The tool was originally built by a developer known and trusted by the targeted community.
• Although the malware itself was not particularly advanced, the delivery of the malware was extremely well customized to reach the target population and technical artifacts show that activity related to this campaign began in at least May of 2024.  
• The ruse employed by the attackers replicates a typical pattern: threat actors likely aligned with the Chinese government have repeatedly instrumentalized software and websites that aim to support marginalized and repressed cultures to digitally target these same communities.
• This campaign shows the ongoing threats of digital transnational repression facing the Uyghur diaspora. Digital transnational repression arises when governments use digital technologies to surveil, intimidate, and silence exiled and diaspora communities.  

Introduction

In mid-March 2025, members of the World Uyghur Congress (WUC) living in exile received Google notifications warning that their accounts had been the subject of government-backed attacks. As frequent targets of hacking attempts by Chinese state and state-affiliated actors, they immediately reached out to reporters from Paper Trail Media, who are part of the “China Targets” project led by the International Consortium of Investigative Journalists investigating transnational repression, as well as researchers at the Citizen Lab. 

Through our investigation of the Google notifications, we identified a spearphishing email that was delivered to several senior members of WUC. The email messages impersonated a trusted contact at a partner organization and contained Google Drive links that, if clicked, would download a password-protected RAR archive. The archive contained a trojanized version of a legitimate open source Uyghur language text editor. Once executed, the malware profiles the system, sends information to a remote server, and has the potential to load additional malicious plugins.

The digital targeting of Uyghurs living in exile described in this report is not an isolated incident but is part of a broader practice used by authoritarian states called digital transnational repression. Digital transnational repression arises when governments use digital technologies to surveil, intimidate, and silence exiled and diaspora communities. China is particularly renowned for engaging in this practice, as well as undertaking other acts of transnational repression such as the forced return of Uyghurs from overseas and physical harassment and assault against human rights defenders and dissidents living in exile or in the diaspora.

Background: Digital Transnational Repression Against the Uyghur Diaspora

The Uyghur diaspora, alongside Tibetans and, more recently, exiles from Hong Kong, is one of China’s primary targets for transnational repression. In their homeland, the Xinjiang region in northwestern China (which most Uyghurs prefer to call by its historical name East Turkestan), Uyghurs and other Turkic minorities are forced to live under a high-tech police state, built on a sweeping system of mass surveillance, mobility controls, and internment camps, as well as a comprehensive control over their cultural and religious life. Chinese authorities follow individuals even outside China, targeting Uyghurs living in exile or in the diaspora with tactics ranging from physical attacks and extradition requests to digital threats and surveillance. China’s extensive campaign of transnational repression targets Uyghurs both on the basis of their ethnic identity and activities. Diaspora members who engage in human rights advocacy and raise international awareness on China’s suppression of their culture and community draw particular attention from Chinese authorities. 

The monitoring of “movements, thoughts, daily activities, and associations of all Uyghurs who travel abroad and their families,” features as a key priority in leaked documents outlining China’s security policies with regards to Xinjiang. The goal of the surveillance of Uyghurs in the diaspora is to control their ties to the homeland and the cross-border flow of information on the human rights situation in the region, as well as any influence on global public opinion about the Chinese state’s policies in Xinjiang. In interviews conducted by the Citizen Lab as part of its research on digital transnational repression, Uyghur human rights advocates in exile told us how they were being followed and harassed by individuals, likely affiliated to the Chinese government, whenever they prepared to give testimony on the mass detentions, forced birth controls, the restriction of religious and cultural activities and other severe rights violations happening in their homeland at events around the United Nations (UN) Human Rights Office in Geneva and other public fora. 

In parallel, local authorities in Xinjiang use pressure on families to instill fear in the diaspora and control their behaviour. In a practice known as ‘coercion-by-proxy’, family members living in the Uyghur region are forced to urge – through video calls and messages – their relatives abroad to abstain from advocacy against the Chinese government, often with local police agents present on the call. By using relatives as blackmail, authorities also seek to extract information from diaspora members, including personal data and details on their or others’ activities. This information feeds into the large data and surveillance systems of the Chinese state which “digitally enclose” Uyghurs both in their homeland and, increasingly, abroad. 

In addition, as we have detailed in another report, China relies on tactics of gender-based digital transnational repression to threaten and silence women human rights defenders in the Uyghur diaspora. Officials of China’s foreign ministry and Xinjiang’s regional authorities have portrayed women who testified about their experiences in the detention centers in Xinjiang as criminal and immoral. Sexual insults, abuse, and smear campaigns seek to intimidate and shame women activists and journalists, taint their reputation, and distance them from their communities. The impacts of these tactics on the mental health and wellbeing of targeted individuals are severe. 

The use of malware and other targeted threats that aim to intercept and disrupt the digital communications of Uyghurs (as well as Tibetans and other exiles) has figured prominently in China’s toolkit of digital transnational repression for almost two decades. These attacks became more sophisticated and aggressive beginning in the mid-2010s as repression in Xinjiang intensified. In 2019, separate investigations by the Citizen Lab, the security firm Volexity, and Google Project Zero discovered an advanced Chinese hacking campaign targeting the iPhones and Android phones of Uyghurs and Tibetans around the world. The campaign included the first documented cases of exploits and spyware for iOS being used against these communities. It aimed to infiltrate smartphones and gather personal data of diaspora members on a large scale—in fact extending the extensive surveillance of Uyghurs and Tibetans in China. 

A recurring pattern of these and related attacks is the use of online content and software appealing to the interests of the targeted ethnic minorities. For example, an investigation by Lookout found four Android surveillanceware tools that relied on trojanized versions of legitimate applications for Uyghur users, such as apps for news, religious and cultural content or specialized Uyghur language keyboards. Once downloaded these apps provided the expected content and functions, while simultaneously performing malicious activities and giving attackers access to the phone’s data and activity. The U.K. National Cyber Security Centre recently warned Uyghur, Tibetan, and Taiwanese communities that malware hidden inside legitimate apps was being used to target individuals living in exile or in the diaspora. As we also show in this report, threat actors aligned with the interests of the Chinese government continue to co-opt software and applications that aim to assist people whose cultures are being repressed by the Chinese state to attack these very communities.

The World Uyghur Congress: A Key Target

The World Uyghur Congress (WUC) is an international non-governmental organization with the aim to advance the human rights of Uyghurs in both Xinjiang and the diaspora. As an umbrella organization for more than 30 Uyghur diaspora groups distributed across 18 countries, it is the largest representative body of Uyghurs around the world. Formed in 2004, the WUC is headquartered in Munich, Germany, which hosts a large Uyghur community in Europe. 

Engaging in awareness raising and advocacy, WUC representatives regularly meet with policy makers in Europe and the U.S., give statements to UN human rights agencies, and appear in the media. The WUC has successfully garnered support for the Uyghur cause in the European Parliament and U.S. Congress, which have both publicly condemned China’s policies in Xinjiang and sanctioned selected Chinese government officials for their involvement in serious human rights abuses against Uyghurs. 

Given the WUC’s active role in putting a spotlight on China’s oppression of ethnic minorities in Xinjiang, the organization and its individual members are particularly exposed to reprisals from the Chinese state. Beijing has designated the WUC as a terrorist and separatist organization and actively seeks to undermine its activities through espionage, threats, and other tactics of transnational repression. 

For example, in April 2025, Swedish authorities detained a Uyghur man, who had served as a WUC spokesperson, on suspicion of spying on exiled members of the Uyghur community on behalf of the Chinese intelligence services. Ahead of the WUC’s last General Assembly in Sarajevo, Bosnia-Herzegovina, in October 2024, the organization dealt with threats of physical violence against event participants and the Chinese embassy in Sarajevo threatened to have delegates arrested, referring to the extradition treaty between China and Bosnia. In an apparent attempt to derail the event, fake emails pretending to come from senior WUC members informed participants that the Assembly was postponed. 

For more than a decade, the WUC has been subjected to regular digital attacks and online harassment. Distributed Denial of Service (DDoS) attacks have sought to disrupt communications through the organization’s website ahead of important events and publications. Staff members also mentioned attacks against the WUC Facebook page and its Uyghur language YouTube channel. In interviews, they told the Citizen Lab that they were regularly receiving phishing messages, often sent using sophisticated social engineering tailored to their specific profile and interests. These phishing attempts tried to infect their devices and steal data. Interviews with WUC staff also revealed that pressure from a large workload compounded by the mental impact of threats against themselves and family members in Xinjiang increased their level of vulnerability to digital threats. 

A Targeted Phishing Campaign

Government-backed Attack Alerts: Searching for a Culprit

Technology platforms, such as Google, track actors who abuse their platforms. When they identify targeted malicious emails sent by state-sponsored attackers, they may opt to send security alerts to warn the targeted users. Notifications such as Google’s government-backed attack alerts are instrumental in alerting civil society to targeted digital threats so that they can both investigate and strengthen their security posture. The WUC first received alerts from Google on March 5, 2025, that prompted them to reach out to the Citizen Lab. It is important to note that many alerts are not sent in real-time, and do not mention the event that triggered them, so as to avoid tipping off attackers.

After receiving the alerts, WUC staff worked with researchers from the Citizen Lab to identify what may have triggered the alerts. During the course of the investigation, several members of the WUC received a suspicious email from someone claiming to be an individual from a partner organization. Gmail diverted the message to its spam folder, but WUC members nevertheless noticed it because of their increased vigilance following Google’s earlier alerts.

The email impersonated a partner organization and asked the WUC to download and test Uyghur-language software. The message read:

The email contained a Google Drive link to a password-protected RAR archive containing a trojanized version of a legitimate open source Uyghur Text Editor called UyghurEditPP. 

Although the spearphishing email described “an anonymous software developer”, the legitimate UyghurEditPP application was created by a developer known to members of WUC and who has collaborated with them on past projects. Other open source projects by the same developer include Uyghur OCR and speech recognition software. 

The trojanized UyghurEditPP application contained a backdoor that would allow the operator to gather information about the device, upload information to a command and control server, and download additional files, including other malware.

Backdoor Capabilities

Note: While this section provides a brief overview of the backdoor’s capabilities, more detailed information is available in Appendix.

The backdoor of this campaign is designed to profile a target’s Windows system, then provides an operator the ability to run additional commands using custom plugins. The use of a plugin-based design allows the operator to keep their toolkit private until they are confident the tools can be used undetected. Unfortunately, we were unable to identify or obtain any plugins during our analysis.

Specifically, the backdoor collects the following information from a target’s device:

• Machine name
• Username
• IP address
• Operating system version
• The MD5 hash of the machine name, user name, and hard disk serial number

The malware sends this information back to its command and control server, along with a hardcoded value to identify the specific campaign. In response to this information, the malware’s operator can send a response from the server, likely after verifying the infected system legitimately belongs to a target of interest. Specifically, the operator’s response can include commands to do the following:

• Download files from the target device
• Upload additional files to the target device
• Run commands against plugins uploaded to the target device

Command and Control (C2) Infrastructure

The backdoor was hardcoded to contact the primary domain tengri[.]ooguy[.]com with a fallback domain of anar[.]gleeze[.]com in case the initial domain was unreachable. Both Tengri and Anar are words with significance in several Central Asian languages, including Uyghur and Turkic. Tengri in particular has cultural and historical significance, and is the word for “Sky” or “Sky God”. The term is used in names, cultural references, and company/brand names throughout Central Asia. Anar is the verb form of the word “to commemorate” or “to remember”. The use of known words further highlights the targeted nature of this campaign. 

We used Passive DNS lookups within Domain Tools and found that the domains listed above (tengri[.]ooguy[.]com and anar[.]gleeze[.]com) resolved to the IP addresses below during the specified timeframes:

According to Censys, a self-signed, untrusted TLSv1 certificate for “Microsoft.COM” was observed on both of these IP addresses. The certificate had the following hash:

d6874907d0e558cba614313c60b84c912b10ca3c539661a3885daaadb1cb2b2b

The certificate impersonates Microsoft and has a negative number as a Serial Number, in addition to numerous other oddities. The combination of a deprecated TLS version, a weak cryptographic key, and a serial number that is non-compliant with various modern standards, such as RFC 5280, all indicate that this is not a certificate that is meant for legitimate use. 

The certificate was valid as of June 4, 2024, and, according to Censys’ Certificate dataset, was  seen on four IP addresses which all belong to the same autonomous system. This shows the attackers moved infrastructure for the campaign several times since it started in June, with the most recent sighting on April 11, 2025, at the IP linked to anar[.]gleeze[.]com, the backdoor’s backup command-and-control server.

Three domains resolve to the 95.179.132[.]219 IP address, although there is currently no active content hosted there. These domains appear to be spoofing the legitimate developer of the UgyhurEditPP application, who goes by the name “gheyret”.

A Change of Plans or Multiple Campaigns?

It appears that there were two distinct clusters of command and control infrastructure related to this campaign. The first cluster was the adversary-registered domains of gheyret[.]com, gheyret[.]net, and uheyret[.]com which impersonated the developer of the tool. Traffic to a domain linked to the tool’s developer might appear harmless, making it less likely to raise suspicion even for users who are security-aware. This choice in domain naming also indicates that UyghurEditPP – or another of the tools by the same developer – had already been selected by the attacker as early as May 2024 when the first domain was registered.

The spearphishing attacks targeting the WUC did not use these domains however – by the time they were targeted the attackers had switched to a second cluster of subdomains registered through Dynu Services, Inc. These domains still had Uyghur words in the domain names but did not reference the UyghurEditPP tool or developer directly.

Despite the change in the names, both sets of domains used the same Microsoft.COM certificate and both used IPs that belong to AS20473, an Autonomous System (AS) managed by Choopa LLC and frequently abused by threat actors.

One lingering question is whether the shift represents a staged and later abandoned initial approach. Alternatively, it could indicate two separate campaigns targeting different groups within the Uyghur community. The first using the gheyret domains from June to February, and the second using the subdomains registered with Dynu Services, likely between December and March, targeting the WUC.

Related Samples

We identified an additional instance of the trojanized UyghurEditPP software and corresponding backdoor on VirusTotal. This sample also used Dynu Systems-registered domains as the C2, and had the same fallback C2 as the sample sent to WUC.

Both files were uploaded in March of 2025. The backdoor is nearly identical to the one we obtained from this campaign, but as noted above, there were some differences. The differences are described below:

The domain wanar[.]gleeze[.]com did not have any PassiveDNS records available from any tools we have access to, which could either indicate that the domain was visited from a region outside of common cybersecurity tools’ visibility, or that it was never visited. 

While this specific backdoor is not one that we have seen used before by any threat actor, the tactics and targeting of the campaign align closely with activities of the Chinese government. Some of the specific overlaps in tactics, techniques, and tradecraft that we observed in this campaign are outlined below:

Protecting the Digital Resources of Repressed Cultures

Software programs, such as the one weaponized in this attack, are important to the Uyghur community as many common word processing platforms do not provide standardized support for the Uyghur language. As the Chinese government restricts the use of Uyghur in the Xinjiang region for education, religion and other areas, software tools and online applications are essential to the preservation of language and culture. 

According to a WUC member, only a few people in the diaspora have both the technical knowhow and the motivation to develop such software. Trojanizing their projects by implanting malware causes harm beyond the immediate phishing attempt because it sows fear and uncertainty about the very tools aiming to support and preserve the community.

More generally, our research has shown that digital transnational repression has a variety of serious, negative effects on targeted individuals and communities. This includes self-censorship and the silencing of transnational advocacy networks, as well as causing psychological harm. Targets have reported experiencing feelings of insecurity, guilt, fear, uncertainty, mental and emotional distress, and burnout from these attacks.

Final Thoughts

The phishing attack investigated in this report was not notable for its technical sophistication and did not involve zero-day exploits or mercenary spyware. Yet, the delivery of the malware showed a high level of social engineering, revealing the attackers’ deep understanding of the target community. The attack demonstrates the ability of state and state-affiliated actors  to reach across borders and target an ethnic minority repressed both at home and abroad, even when using less technically advanced tools. 

This incident also showed that both platforms and individuals are getting better at spotting signs of attacks and protecting against them. Attackers have to spend more time and effort in order to be successful. Unfortunately, this can result in an increasing frequency of attacks, in an attempt to catch individuals when they are off guard and vulnerable. The need to be constantly alert to the next threat is a daunting task for targeted communities. 

Digital transnational repression is a practice that continues to threaten and undermine human rights defenders, dissidents, journalists, and members of civil society living in exile or in the diaspora. This report demonstrates yet another instance of Uyghurs in exile being targeted through digital means. While we are not conclusively attributing the attacks in this report, it is widely documented that Chinese authorities and threat actors aligned with the interests of the Chinese government engage in acts of digital transnational repression to silence communities abroad. 

Governments in countries where targeted exiles and diasporas reside are under an obligation to protect individuals within their territory – such as Uyghurs living in exile – against digital transnational repression or other acts of transnational repression. As we have recommended elsewhere, steps taken by host states should include the sharing of information with targeted communities regarding the risks they face as well as providing assistance and support to mitigate the risks and impacts of transnational repression. Further, the private sector plays a pivotal role in preventing acts of digital transnational repression. The growing industry practice led by companies like Google and Apple of issuing notifications when individuals are targeted by state actors is one that needs to be standardized and replicated across all companies that provide digital services to vulnerable communities.    

Indicators of Compromise

Indicators of compromise are available on GitHub in multiple formats.

Acknowledgements

Our gratitude goes to the WUC staff members for consenting to share materials and discuss their personal experiences with us. Without their participation, this investigation would have been impossible. We would also like to thank Matt Fowler, Cooper Quintin, Emile Dirks, Bill Marczak, and John Scott-Railton for their careful peer review of this report, as well as Adam Senft for organizational support and Alyson Bruce for meticulous editing, graphical assistance, and communications support. 

Research for this project was supervised by Ronald J. Deibert.

Technical Appendix

This appendix provides a detailed technical analysis of the trojan and the backdoor.

Trojan

The trojanized application is a Windows Forms application written in C#. In Windows Forms applications, an ordered series of events are raised when the application is started, one of which is the Load event for the Main form. We investigate this method and discover the code responsible for installing the backdoor:

Specifically:

1. The MainFormLoad method checks for the existence of a file named GheyretDetector.exe, the file name of the backdoor.
2. If the file does not already exist on disk, the releaseFile method writes the executable contained in the assembly’s Resources to disk. 
3. Once the backdoor is on-disk, the AddUpdater method creates a scheduled task to launch it.

We dumped the resource using the dotnetfile library released by Palo Alto’s Unit 42. The result is another .NET assembly represented by the following sha256:

Backdoor

The backdoor provides a remote operator access to a target’s device. Interestingly, it has a compile timestamp set years in the future: Sun Nov 29 22:30:12 2093.

The Main function creates a mutex to ensure only a single instance of the backdoor is running, then enters a loop to send system information to a remote C2 and handle any response.

The backdoor collects the following system information to send to the C2 server:

• Machine Name as returned by Environment.MachineName property
• Username as returned by the Environment.UserName property
• WAN IP: Response from http://checkip.amazonaws[.]com (falls back to Local IP if no response)
• Local IP: A concatenated string of the AddressList returned by the GetHostEntry method
• Version: The Major, Minor, and Build Version from the OSVersionInfoEx structure

This system information is concatenated into an asterisk-delimited string, interestingly with the prefix TEST, along with the following identifiers:

• User Identifier: An MD5 hash of the machine name, user name, and storage device serial number as returned by enumerating the return value of a ManagementObjectSearcher using the query SELECT * FROM Win32_PhysicalMedia.
• Campaign code: A hardcoded value. In this instance, UyghurEditPP250310.

This is all sent as an HTTP POST request to the URL https://tengri[.]ooguy[.]com/gheyret/Update. The backdoor contains fallback logic in an exception handler to set a different domain after 5 connection attempts – in this instance, anar[.]gleeze[.]com.

The backdoor checks the prefix of the response and is programmed to handle the following:

• GHEYRETOR – Not implemented
• GHEYRETC – Allows a remote operator to run a command from a dynamically-loaded plugin
• GHEYRETU – Allows a remote operator to upload a file to the victim’s device
• GHEYRETD – Allows a remote operator to download a file from the victim’s device

As previously mentioned, we were unfortunately unable to identify or obtain any plugins used by the actor.

Click here to read the article.

Read the essay here.

Order your copy here.

Why You Should Join 

• Gain insights into how gender and technology intersect to suppress human rights globally.
• Learn from first-hand accounts about the impacts of digital repression on women human rights defenders.
• Explore actionable recommendations to strengthen protections for activists and journalists.

About the Research

Published in December 2024, The Citizen Lab’s Report No. 180: No Escape, focuses on the experiences of 85 women human rights defenders and journalists from 24 countries, including Iran, China, and Russia, now residing in 23 host countries such as Germany, France, and the Netherlands. The report uncovers the weaponization of digital tools used by authoritarian regimes to target exiled women, employing tactics such as online harassment, defamation, and invasive surveillance. These attacks are not only designed to intimidate but also to silence dissent and undermine democracy.

Event date: March 24, 10:00 AM ET / 3:00 PM CET

Register here