POISON CARP

POISON CARP is a China-aligned threat actor associated in the provided reporting with state-sponsored cyber espionage and with the Chinese contractor i-SOON / Anxun Information Technology. Citizen Lab tracks i-SOON as POISON CARP, and multiple sources in the content describe links between leaked i-SOON materials and POISON CARP infrastructure and operations. The actor has been implicated in campaigns targeting Tibetan groups and, in related reporting, overlaps with activity targeting Uyghur communities; the targeting aligns with Chinese security and surveillance interests in ethnic minority groups. Known aliases directly provided in the content are limited to POISON CARP / poison_carp. The most detailed reporting in the content describes a campaign between November 2018 and May 2019 targeting senior members of Tibetan organizations, including the Private Office of His Holiness the Dalai Lama, the Central Tibetan Administration, the Tibetan Parliament, and Tibetan human rights groups. The operator used tailored WhatsApp conversations and fake personas posing as NGO workers, journalists, volunteers, and tourists, often using Hong Kong +852 numbers, to deliver malicious links. The campaign used one-click mobile browser exploitation against both iOS and Android devices and is described as the first documented use of one-click mobile exploits against Tibetan groups. On iOS, POISON CARP used an exploit chain targeting iOS 11.0 through 11.4, delivered via domains such as msap[.]services and sometimes wrapped in Bitly links. The chain used ECC Diffie-Hellman-encrypted exploit and payload delivery and installed an iOS spyware implant that exfiltrated device and application data including location, contacts, call history, SMS history, and data from apps such as Viber, Voxer, Telegraph, Gmail, Twitter, QQMail, and WhatsApp. The content states the iOS exploits were not zero-days and had been patched by Apple before use. On Android, POISON CARP used the previously undocumented MOONSHINE exploit-and-spyware framework. MOONSHINE used multiple Chrome exploits mapped to browser versions, including exploits associated with CVE-2016-1646, CVE-2016-5198, CVE-2017-5030, CVE-2017-5070, CVE-2018-6065, CVE-2018-17463, CVE-2018-17480, CVE-2019-5825, and later reporting also ties MOONSHINE to CVE-2020-6418 and a believed exploit for CVE-2023-3420 targeting WeChat. Some exploit code was copied or lightly modified from public sources, including Tencent Xuanwu Lab, Qihoo 360 Vulcan Team, Google Project Zero, and Exodus Intelligence. The content specifically notes that POISON CARP used a publicly released Exodus Intelligence exploit for a Chrome bug that had been fixed in source but not yet distributed to users. MOONSHINE delivery relied on social engineering links sent over messaging platforms, especially WhatsApp and WeChat, and could masquerade as legitimate content, redirect victims back to benign pages, and in later reporting validate headers to serve exploit code only to targeted vulnerable apps or browser versions. It targeted Chromium-based browsers and Tencent Browser Server embedded in Android applications, with code to target apps including Chrome, Facebook, Lazada, Line, Messenger, Naver, QQ, WeChat, and Zalo. In one observed chain, MOONSHINE attempted to force malicious URLs to open inside Facebook’s built-in browser; later reporting describes replacement of WeChat’s XWalk browser core with a trojanized APK and a phishing page that falsely offered a browser-engine update while downgrading the engine to a vulnerable version. The Android implant delivered by MOONSHINE was called Scotch in the 2019 reporting. It communicated with command-and-control over WebSocket on port 10011 and downloaded plugin packages including Bourbon.jar and IceCube.jar. These plugins enabled surveillance functions including collection of SMS messages, contacts, call logs, GPS location, camera images, microphone audio, screenshots, notifications, file upload, shell command execution, and broader device information theft. Later reporting in the content states that MOONSHINE remains under active development and is likely shared among multiple Chinese-aligned intrusion sets, including Earth Minotaur, POISON CARP, UNC5221, and others. Trend Micro reporting cited in the content distinguishes Earth Minotaur from POISON CARP despite both using MOONSHINE and having similar Tibetan and Uyghur targeting. The content also links POISON CARP to a malicious Google OAuth application lure named Energy Mail, sent to a Tibetan Parliament member together with a MOONSHINE link, tying OAuth phishing to the same operator. Additional likely associated OAuth infrastructure mentioned in the content includes antmoving[.]online, beemail[.]online, gmailapp[.]me, mailanalysis[.]services, and polarismail[.]services. Infrastructure and organizational links in the content connect POISON CARP to the 2024 i-SOON leak. Insikt Group and Unit 42 reporting cited in the content state that leaked i-SOON materials revealed operational and organizational ties between i-SOON and POISON CARP, alongside other Chinese espionage groups such as RedAlpha and RedHotel. Unit 42 also reported an IP overlap involving 74.120.172[.]10 and mailnotes[.]online, and the broader leak is described as evidence of a Chinese contractor ecosystem supplying offensive cyber capabilities to state-linked operations. The content therefore supports describing POISON CARP as a China-aligned espionage actor linked to Chinese state-sponsored activity and contractor support.