EvilBamboo [1] [2] [3] [4] [5] [6] [7] [8] [9], also known as Evil Eye [1] [4] [8] [9], Earth Empusa [4] [9], and POISON CARP [4] [9], is a persistent threat actor that has been conducting a cyber-espionage campaign targeting Tibetan [3], Uyghur [1] [2] [3] [4] [5] [6] [7] [8] [9], and Taiwanese individuals and organizations for over five years [9]. This campaign, believed to be operated by the Chinese state, utilizes customized Android malware and iOS malware to infiltrate these communities [2].


EvilBamboo has been active since at least 2019 and has used various tactics to target Android and iOS devices [3] [4] [9]. They have employed watering hole attacks, zero-day vulnerabilities [5] [9], and Android malware to compromise devices and harvest data. Volexity [2] [3] [4] [6] [7] [8] [9], a cybersecurity firm [2], has been tracking EvilBamboo and has observed the ongoing development of custom Android malware, the creation of fake websites and social media profiles for deploying browser-based exploits [3] [4] [5] [6] [7] [9], and the use of online communities like Telegram to distribute their malware.

Recent findings from Volexity have identified three new Android espionage tools associated with EvilBamboo: BADBAZAAR [3] [4] [9], BADSIGNAL [4], and BADSOLAR [4]. The group uses APK sharing forums, fake websites [1] [3] [4] [5] [7] [9], and bogus profiles on social media platforms to distribute their malware [3] [9]. EvilBamboo primarily targets Taiwanese users by distributing Android spyware through threads on a Taiwanese APK sharing forum [2]. They also create counterfeit websites to distribute compromised versions of popular apps like Signal and Telegram [2].

EvilBamboo has expanded their attacks to include iOS devices, using a Safari exploit to target users. This demonstrates their evolving capabilities and willingness to adapt their tactics to reach a wider range of targets. The group has developed three families of Android malware [8], namely BadBazaar [8], BadSignal [2] [8], and BadSolar [8]. These malicious apps not only include backdoors but also surveillance capabilities, allowing the attackers to monitor users [8].


EvilBamboo’s cyber-espionage campaign highlights the importance of only installing apps from trusted sources. Their creation of fake websites and tailored personas has allowed them to build trusted communities for further exploitation [9]. The group’s operations demonstrate a high level of expertise and resources [5], as they create fake communities and use trojanized apps [5]. This emphasizes the need for caution in online interactions and downloading apps [5].

Mitigating the threat posed by EvilBamboo requires organizations and individuals to stay vigilant and adopt best practices for cybersecurity. It is crucial to regularly update devices, use reputable antivirus software, and exercise caution when interacting with unfamiliar websites and apps. Additionally, reporting suspicious activities to relevant authorities and cybersecurity firms can contribute to the ongoing efforts to combat this threat.

As EvilBamboo continues to evolve and adapt its tactics, it is essential for researchers, cybersecurity professionals, and organizations to collaborate and share information to stay ahead of the threat. By remaining proactive and implementing robust security measures, we can mitigate the impact of cyber-espionage campaigns like EvilBamboo and protect individuals and organizations from potential harm.


[1] https://gbhackers.com/evilbamboo-attacking-android-ios/
[2] https://www.infosecurity-magazine.com/news/china-evilbamboo-targets-mobiles/
[3] https://patabook.com/technology/2023/09/25/from-watering-hole-to-spyware-evilbamboo-targets-tibetans-uyghurs-and-taiwanese/
[4] https://thehackernews.com/2023/09/from-watering-hole-to-spyware.html
[5] https://bragg.substack.com/p/daily-drop-607-evilbamboo-myanmars
[6] https://www.linkedin.com/posts/wdevault_from-watering-hole-to-spyware-evilbamboo-activity-7112025103378378753-j8s3
[7] https://www.volexity.com/blog/2023/09/22/evilbamboo-targets-mobile-devices-in-multi-year-campaign/
[8] https://www.lemagit.fr/actualites/366553013/EvilBamboo-une-campagne-de-cyber-espionnage-qui-ratisse-large
[9] https://mrhacker.co/malware/from-watering-hole-to-spyware-evilbamboo-targets-tibetans-uyghurs-and-taiwanese