MOONSHINE

MOONSHINE is an Android exploit-and-spyware framework/spyware family first publicly reported by Citizen Lab in 2019 in campaigns targeting Tibetan groups, with subsequent reporting linking it to targeting of Uyghur and Taiwanese communities and related civil society organizations. It has been described as Android spyware embedded in legitimate-looking or trojanized mobile applications, and also as an exploit kit used in the wild to compromise Android devices via malicious links distributed through instant messaging and social platforms, especially WhatsApp, WeChat, Telegram, and links sent through chat groups. Reported lures included government announcements, COVID-19 news, religion-related content, travel information, Tibetan or Uyghur music and dance videos, and an Uyghur-language “Audio Quran” app. Some malicious apps impersonated trusted services such as WhatsApp, Skype, Signal, Telegram, Adobe Acrobat, prayer apps, and utilities.

MOONSHINE targets Android devices and has been observed exploiting vulnerabilities in Chromium-based browsers and Tencent Browser Server components embedded in Android apps. Reported targeted vulnerabilities include CVE-2016-1646, CVE-2016-5198, CVE-2017-5030, CVE-2017-5070, CVE-2018-6065, CVE-2018-17463, CVE-2018-17480, CVE-2019-5825, CVE-2020-6418, and reporting indicates an exploit for CVE-2023-3420 targeting WeChat is believed to be part of the framework. The framework validates request headers and serves exploit code only to targeted vulnerable app/browser versions, can masquerade malicious links as legitimate content, redirect victims back to benign content after exploitation, and can present a fake browser-engine update page that actually downgrades the engine to a vulnerable version. Earlier reporting described MOONSHINE forcing malicious URLs to open inside Facebook’s built-in Chrome-based webview and using a multi-stage chain that downloaded loaders into Facebook or Messenger directories and achieved persistence by overwriting shared libraries in legitimate apps.

The spyware payload associated with MOONSHINE has been referred to as Scotch in Citizen Lab reporting, described as a modular Java application with plugins such as Bourbon.jar and IceCube.jar. Capabilities directly reported across sources include collection of SMS messages, contacts, call logs/history, GPS/location data, device information, installed apps, clipboard data, browser bookmarks, files, screenshots, photos, microphone audio/recordings, camera images, notifications, chats/conversations, and shell command execution. Government advisory reporting states MOONSHINE can access cameras, microphones, messages/chats, photos, and location data, enabling real-time surveillance. NCSC-related reporting also states MOONSHINE management interfaces exposed file exfiltration, live audio capture, and screen recording, and that victim devices may pass a score value to C2 based on granted permissions.

Recent reporting from Trend Micro and Cisco Talos links MOONSHINE to the Android backdoor DarkNimbus, which has also been called DarkNights in some reporting. Trend Micro reported that successful exploitation in one observed chain replaced WeChat’s XWalk browser core with a trojanized APK containing DarkNimbus. DarkNimbus was described as actively developed since 2018, using XMPP via the Smack library for command-and-control and HTTPS for file transfer, and capable on Android of collecting device information, installed apps, contacts, SMS, call history, GPS data, clipboard data, browser bookmarks, files, screenshots, photos, and recordings, including theft of instant-messaging conversations via Android Accessibility Service. Cisco Talos also reported MOONSHINE and DarkNimbus in connection with the Earth Minotaur cluster and with DKnife traffic-hijacking activity.

Threat-actor associations in the content include POISON CARP, Earth Minotaur, and broader China-aligned activity. Citizen Lab and TibCERT attributed the 2018-2019 Tibetan targeting campaign using MOONSHINE to an operator they named POISON CARP. Trend Micro investigated Earth Minotaur using the MOONSHINE exploit kit in the wild and assessed MOONSHINE is likely shared among multiple threat actors, including Earth Minotaur, POISON CARP, UNC5221, and others. Multiple government and industry reports describe MOONSHINE as part of surveillance activity aligned with Chinese state interests and targeting communities considered politically sensitive, especially Tibetans and Uyghurs, with additional targeting of Taiwanese-linked communities and civil society. Some reporting also notes prior association of Moonshine with APT15 tooling lists.

Infrastructure and operational details directly mentioned include at least 55 MOONSHINE exploit-kit servers identified by 2024; management panels titled SCOTCH ADMIN or LOGIN; infrastructure overlap with UPSEC-associated login panels; virtually hosted management interfaces; and links between MOONSHINE exploit-kit infrastructure and DarkNimbus C2 infrastructure. Reported indicators and artifacts include the string DKNS in some DarkNimbus versions, the domain ansec[.]com as a DarkNimbus C2, WebSocket C2 on port 10011 for Scotch in earlier reporting, and observed malicious URL patterns such as /web/info with Base64-encoded decoy URLs in older Citizen Lab reporting.

Overall, MOONSHINE is best characterized from the provided content as an actively developed Android-focused exploit and surveillance platform used in targeted espionage and monitoring operations against Tibetan, Uyghur, Taiwanese, and related civil society targets, delivered through socially engineered links and trojanized apps, with extensive device surveillance and data-theft capabilities and recurring links to China-aligned threat activity.