POISON CARP (Threat Actor)

SYMBOL	COMMON_NAME	aka. SYNONYMS

POISON CARP (Back to overview)

aka: Earth Empusa, Evil Eye, Red Dev 16

Between November 2018 and May 2019, senior members of Tibetan groups received malicious links in individually tailored WhatsApp text exchanges with operators posing as NGO workers, journalists, and other fake personas. The links led to code designed to exploit web browser vulnerabilities to install spyware on iOS and Android devices, and in some cases to OAuth phishing pages. This campaign was carried out by what appears to be a single operator that we call POISON CARP.

Associated Families

apk.actionspy ios.poisoncarp

References

2021-03-24 ⋅ Facebook ⋅ Mike Dvilyanski, Nathaniel Gleicher
Taking Action Against Hackers in China
ActionSpy

2020-06-11 ⋅ Trend Micro ⋅ Ecular Xu, Joseph C. Chen
New Android Spyware ActionSpy Revealed via Phishing Attacks from Earth Empusa
ActionSpy PoisonCarp

2020-06-11 ⋅ Trend Micro ⋅ Ecular Xu, Joseph C Chen
Phishing Attacks from Earth Empusa Reveal ActionSpy
ActionSpy POISON CARP

2019-09-24 ⋅ The Citizen Lab ⋅ Adam Hulcoop, and Ron Deibert, Bahr Abdul Razzak, Bill Marczak, Etienne Maynier, John Scott-Railton, Masashi Crete-Nishihata
Missing Link Tibetan Groups Targeted with 1-Click Mobile Exploits
PoisonCarp POISON CARP

2019-09-02 ⋅ Volexity ⋅ Andrew Case, Matthew Meltzer, Steven Adair
Digital Crackdown: Large-Scale Surveillance and Exploitation of Uyghurs
scanbox POISON CARP

2019-08-29 ⋅ Google ⋅ Ian Beer, Project Zero
Implant Teardown
PoisonCarp

Credits: MISP Project