SYMBOLCOMMON_NAMEaka. SYNONYMS

POISON CARP  (Back to overview)

aka: Evil Eye, Red Dev 16, Earth Empusa

Between November 2018 and May 2019, senior members of Tibetan groups received malicious links in individually tailored WhatsApp text exchanges with operators posing as NGO workers, journalists, and other fake personas. The links led to code designed to exploit web browser vulnerabilities to install spyware on iOS and Android devices, and in some cases to OAuth phishing pages. This campaign was carried out by what appears to be a single operator that we call POISON CARP.


Associated Families
apk.actionspy ios.poisoncarp

References
2021-03-24FacebookMike Dvilyanski, Nathaniel Gleicher
@online{dvilyanski:20210324:taking:f561bbf, author = {Mike Dvilyanski and Nathaniel Gleicher}, title = {{Taking Action Against Hackers in China}}, date = {2021-03-24}, organization = {Facebook}, url = {https://about.fb.com/news/2021/03/taking-action-against-hackers-in-china/}, language = {English}, urldate = {2021-03-25} } Taking Action Against Hackers in China
ActionSpy
2020-06-11Trend MicroEcular Xu, Joseph C. Chen
@online{xu:20200611:new:016cec1, author = {Ecular Xu and Joseph C. Chen}, title = {{New Android Spyware ActionSpy Revealed via Phishing Attacks from Earth Empusa}}, date = {2020-06-11}, organization = {Trend Micro}, url = {https://blog.trendmicro.com/trendlabs-security-intelligence/new-android-spyware-actionspy-revealed-via-phishing-attacks-from-earth-empusa/}, language = {English}, urldate = {2020-06-12} } New Android Spyware ActionSpy Revealed via Phishing Attacks from Earth Empusa
ActionSpy PoisonCarp
2020-06-11Trend MicroEcular Xu, Joseph C Chen
@online{xu:20200611:phishing:b5b338e, author = {Ecular Xu and Joseph C Chen}, title = {{Phishing Attacks from Earth Empusa Reveal ActionSpy}}, date = {2020-06-11}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/20/f/new-android-spyware-actionspy-revealed-via-phishing-attacks-from-earth-empusa.html}, language = {English}, urldate = {2022-09-12} } Phishing Attacks from Earth Empusa Reveal ActionSpy
ActionSpy POISON CARP
2019-09-24The Citizen LabBill Marczak, Adam Hulcoop, Etienne Maynier, Bahr Abdul Razzak, Masashi Crete-Nishihata, John Scott-Railton, and Ron Deibert
@online{marczak:20190924:missing:95ad19a, author = {Bill Marczak and Adam Hulcoop and Etienne Maynier and Bahr Abdul Razzak and Masashi Crete-Nishihata and John Scott-Railton and and Ron Deibert}, title = {{Missing Link Tibetan Groups Targeted with 1-Click Mobile Exploits}}, date = {2019-09-24}, organization = {The Citizen Lab}, url = {https://citizenlab.ca/2019/09/poison-carp-tibetan-groups-targeted-with-1-click-mobile-exploits/}, language = {English}, urldate = {2019-12-20} } Missing Link Tibetan Groups Targeted with 1-Click Mobile Exploits
PoisonCarp POISON CARP
2019-09-02VolexityAndrew Case, Matthew Meltzer, Steven Adair
@online{case:20190902:digital:0f6cd23, author = {Andrew Case and Matthew Meltzer and Steven Adair}, title = {{Digital Crackdown: Large-Scale Surveillance and Exploitation of Uyghurs}}, date = {2019-09-02}, organization = {Volexity}, url = {https://www.volexity.com/blog/2019/09/02/digital-crackdown-large-scale-surveillance-and-exploitation-of-uyghurs/}, language = {English}, urldate = {2019-12-06} } Digital Crackdown: Large-Scale Surveillance and Exploitation of Uyghurs
scanbox POISON CARP
2019-08-29GoogleIan Beer, Project Zero
@online{beer:20190829:implant:f25a696, author = {Ian Beer and Project Zero}, title = {{Implant Teardown}}, date = {2019-08-29}, organization = {Google}, url = {https://googleprojectzero.blogspot.com/2019/08/implant-teardown.html}, language = {English}, urldate = {2020-01-06} } Implant Teardown
PoisonCarp

Credits: MISP Project