silkbean-goldeneagle

SilkBean / GoldenEagle

cluster includes: SilkBean DoubleAgent CarbonSteal GoldenEagle GREF / APT15 (linked actor) Ke3chang / Vixen Panda / Playful Dragon

A mobile surveillance cluster — not a single group, but four interconnected Android spyware families (SilkBean, DoubleAgent, CarbonSteal, GoldenEagle) discovered by Lookout in 2020 and traceable to at least 2013. All four share C2 infrastructure, signing certificates, and code overlap, pointing to a single state-sponsored operator with a sustained mandate to track Uyghurs, Tibetans, and broader Muslim minority communities wherever they live. Activity was observed in at least 14 countries — 12 of which are on China's official "26 Sensitive Countries" list used as targeting criteria. The peak in malware development in 2015–2016 directly followed China's "Strike Hard Campaign Against Violent Terrorism" (May 2014) and the enactment of new national security and counter-terrorism laws in 2015.

attributed actorGREF / APT15 (Lookout — linked via C2 and code overlap)

platformAndroid (exclusively documented)

first observed (infrastructure)2013 (DoubleAgent — Citizen Lab); malware families tracked from 2015

primary targetsUyghurs globally; Tibetans; broader Muslim minority communities

geographic reach14+ countries — Turkey, Kazakhstan, Indonesia, Syria, Kuwait, Saudi Arabia and others

total carbonsteal samples500+ (Lookout, as of 2020 disclosure)

silkbean c2 commands70+ remote commands supported

google play presenceNone — distributed via third-party stores, phishing, fake app stores

successor family (gref)BadBazaar — Signal Plus Messenger / FlyGram trojanization (2022–2023)

Overview

The SilkBean / GoldenEagle cluster represents one of the most extensively documented mobile surveillance operations targeting a specific ethnic minority population. Lookout's July 2020 disclosure connected four Android surveillanceware families — SilkBean, DoubleAgent, CarbonSteal, and GoldenEagle — into a single coherent mAPT (mobile Advanced Persistent Threat) operation through shared C2 infrastructure, overlapping code-signing certificates, and code-level similarities. The four families had varying levels of prior visibility, but their connection to a single state-sponsored operation was not publicly established until Lookout's report.

The timeline correlates precisely with China's domestic security and counter-terrorism policy trajectory. Lookout researchers observed a dramatic spike in sample activity in 2015 and 2016 — immediately following the "Strike Hard Campaign Against Violent Terrorism" launched in May 2014 and the enactment of China's new National Security Law, Counterterrorism Law, and National Security Strategic Guidelines in 2015. The campaign appears designed to extend China's domestic surveillance apparatus — centered in Xinjiang — to track Uyghur communities wherever they migrate globally. Lookout researcher Apurva Kumar described the surveillance pattern as a "predator stalking its prey throughout the world. Wherever China's Uighurs are going, however far they go, whether it was Turkey, Indonesia or Syria, the malware followed them there."

Attribution to the GREF cluster — which also encompasses APT15, Ke3chang, Mirage, Vixen Panda, and Playful Dragon — is based on direct infrastructure overlaps: C2 infrastructure publicly associated with GREF in 2018 was found communicating with CarbonSteal samples. The same GREF actor had previously conducted campaigns against the UK government and military in 2017 and deployed an upgraded Mirage RAT against a US Navy contractor in 2018, demonstrating that this is a multi-mission operator running both targeted state espionage and ethnic minority surveillance as parallel mandates.

GREF / APT15's mobile surveillance mandate did not end with Lookout's 2020 disclosure. ESET documented a subsequent campaign using BadBazaar — trojanized versions of Signal (Signal Plus Messenger) and Telegram (FlyGram) — distributed via Google Play, Samsung Galaxy Store, and Uyghur-focused Telegram groups between 2021 and 2023. ESET confirmed significant code similarity between BadBazaar and SilkBean/GoldenEagle/CarbonSteal/DoubleAgent, establishing BadBazaar as the post-disclosure successor family using identical targeting patterns. Signal Plus Messenger was available on Google Play for nearly a year before removal.

The Four Families

Each malware family serves a distinct surveillance function within the cluster, with complementary data collection priorities ensuring comprehensive target coverage across communication channels, device data, and physical surveillance.

Family 1 — tracked since 2015

SilkBean

Lookout tracking start: 2015 | Disclosed: Jul 2020

A small and targeted surveillanceware tool primarily distributed via trojanized Uyghur/Arabic keyboard apps, alphabet apps, and language plugins — targeting the foundational tools Uyghur speakers install to type in their own language. SilkBean's signature is its comprehensive RAT functionality: over 70 commands executable remotely from the C2 server, encompassing collecting, modifying, and sending messages, screen recording, and full device control. Malicious package names mimic legitimate services (com.google.pay, com.android.google.service) to blend with valid app listings. Shared infrastructure with DoubleAgent confirmed same-actor operation across both families.

70+ C2 commands screen recording SMS collect/modify keyboard app trojan full device control

Family 2 — tracked since 2013

DoubleAgent

First disclosed: Citizen Lab 2013 | Active through 2019+

The oldest documented family in the cluster, first identified by Citizen Lab in 2013 targeting the Tibetan government in exile. Used exclusively against groups with contentious relationships with the Chinese government — Uyghurs, Tibetans, and Muslim minorities. Early samples were placed inside the Voxer walkie-talkie app, TalkBox voice messaging app, and an ISIS news app. By 2019, samples masqueraded as third-party Android app stores (islamapk[.]com, yurdax[.]com) serving Uyghur-focused applications. The malware exfiltrates 15 targeted application databases — focused on voice and messaging apps including WhatsApp, Telegram, and Skype. Early versions used FTP for exfiltration; later versions upload directly to C2 via TCP sockets without encryption.

15 app database targets voice app focus WhatsApp / Telegram app store trojan TCP direct exfil

Family 3 — tracked since 2017

CarbonSteal

Lookout tracking start: 2017 | 500+ samples documented

Discovered by Lookout while investigating HenBox, with which it shares infrastructure IOCs. CarbonSteal's defining capability is audio surveillance. The malware can record audio in multiple codecs and formats, control the device via specially crafted SMS messages — a particularly useful capability in areas with limited data coverage — and silently answer incoming calls from specific attacker-controlled phone numbers to enable live audio monitoring of the device's environment. This call-intercept feature is assessed as designed for physical surveillance in areas where data connectivity is unreliable, such as Xinjiang's rural regions. Over 500 samples documented as of the 2020 disclosure.

audio recording (multi-codec) SMS command control silent call answer live audio surveillance offline area designed

Family 4 — test samples from 2012

GoldenEagle

Test samples: 2012 | Active samples continue post-2020

The broadest targeting scope in the cluster — GoldenEagle targets Uyghurs and Muslims generally, Tibetans, individuals in Turkey, and targets within China itself. Found in the widest range of trojanized application types: e-commerce (Tawarim — Uyghur e-commerce), keyboards, VPN apps, instant messaging, social networking, adult content apps, and fake Google Search applications. Two distinct exfiltration methods: HTTP upload to C2 and SMTP — sending exfiltrated data as file attachments to an attacker-controlled email address using innocuous-looking subject lines and message bodies. GoldenEagle continued showing new samples post-2019 when other families' C2 infrastructure began shutting down.

broadest target scope HTTP exfil SMTP exfil e-commerce trojan VPN trojan Google Search trojan

Wider Mobile Arsenal

The four core families are connected via shared infrastructure to four additional Android surveillance tools operated by the same actor cluster: HenBox, PluginPhantom, Spywaller, and DarthPusher. These were publicly known before the 2020 disclosure. HenBox shares infrastructure IOCs with CarbonSteal. PluginPhantom was documented by Palo Alto Unit 42 as abusing the DroidPlugin framework. Spywaller was tracked by Lookout separately. DarthPusher was documented in connection with Xiaomi device preinstallation. The post-2020 successor BadBazaar — attributed by Lookout to GREF and confirmed by ESET via code analysis — used trojanized Signal Plus Messenger and FlyGram apps, distributed via Google Play and Samsung Galaxy Store through 2022–2023.

Target Profile and Geographic Reach

The surveillance mandate tracks Uyghurs globally rather than only within China's borders. Lookout documented app titles in at least 10 languages — Uyghur (in all four scripts: Arabic, Uyghur Cyrillic, Russian, and Chinese), English, Arabic, Indonesian, Uzbek, and Urdu/Hindi — demonstrating deliberate targeting across Uyghur diaspora communities. Countries in the documented target set include Turkey, Kazakhstan, Indonesia, Syria, Kuwait, Saudi Arabia, Pakistan, and others. At least 14 countries are affected, with 12 of those appearing on China's official "26 Sensitive Countries" list — a government-maintained list used as targeting criteria by Chinese security services.

Uyghurs (primary): The Uyghur ethnic minority is the overwhelmingly primary target. Applications impersonate services Uyghur communities specifically use — Uyghur language keyboards, the Sarkuy Uyghur music platform, Tawarim Uyghur e-commerce, Tibbiy Jawahar pharmaceutical information, and Uyghur-script news applications. The deliberate targeting of language tools is analytically significant — keyboard and alphabet apps are among the first applications Uyghur speakers install when getting a new device, providing high-confidence initial infection vectors for the target population.
Tibetans (secondary): Both DoubleAgent (first documented against the Tibetan government in exile in 2013) and GoldenEagle include Tibetan-themed applications and targets. Tibetans and Uyghurs are both identified by China as counter-terrorism targets, and both communities have long been the focus of Chinese state surveillance operations.
Muslim minorities broadly: GoldenEagle's targeting extends to Muslims generally, not exclusively Uyghurs. This broader targeting is consistent with the framing of China's "counter-terrorism" campaign, which applies surveillance to Muslim communities beyond the Uyghur population.
Diaspora communities globally: The global distribution of app titles and the presence of apps targeting community-specific services in Turkey, Kuwait, Syria, and Indonesia makes explicit that the surveillance operation follows Uyghur diaspora communities wherever they settle — not merely monitoring Chinese territory or Chinese network infrastructure.

Tactics, Techniques & Procedures

TTPs as documented in Lookout's July 2020 report and the Lookout full technical PDF, with BadBazaar successor TTPs from ESET's 2023 reporting.

mitre id	technique	description
T1476 / T1444	Trojanized Application Delivery	All four malware families are distributed as trojanized legitimate applications — the malicious payload maintains complete functionality of the app it impersonates while adding hidden surveillance capabilities. Impersonated categories include: community-specific language keyboards and alphabet apps; regional music services; e-commerce apps; VPN clients; messaging apps; news apps; fake app stores for Uyghur-focused applications; and fake Google Search apps. No samples were distributed via Google Play — distribution relies on third-party app stores, community forums frequented by the target population, compromised third-party sites, and phishing links directing targets to attacker-controlled download servers. BadBazaar (2022–2023) represented an evolution where GREF successfully placed Signal Plus Messenger on Google Play for nearly a year before removal.
T1517 / T1412	Communication Interception — Targeted App Database Exfiltration	DoubleAgent specifically targets 15 application databases for exfiltration, focused on voice and communication apps: WhatsApp, AireTalk, Telegram, and Skype among the documented targets. GoldenEagle exfiltrates contact lists, SMS messages, call logs, email content, and files from messaging applications. SilkBean's 70+ command set includes collecting and modifying SMS messages. The focus on communication interception — rather than just location tracking — reflects the intelligence value of monitoring diaspora community networks, identifying organizational leadership, and mapping political activity.
T1512 / T1429	Audio and Video Surveillance	CarbonSteal's signature capability is audio recording in multiple codecs and audio formats, with the ability to silently answer calls from attacker-controlled phone numbers to enable live ambient audio surveillance. SilkBean's command set includes screen recording. Together, these capabilities provide both scheduled audio recording and real-time live monitoring of physical environments around infected devices. CarbonSteal's SMS-based device control is specifically designed for situations with insufficient mobile data coverage — enabling surveillance in rural or restricted-connectivity environments where a data connection cannot reliably be maintained.
T1430 / T1422	Location Tracking and Device Profiling	All four families collect location data alongside device identifiers (IMEI, SIM information, device model, OS version) and account information. Location tracking in combination with contact network interception enables the construction of detailed movement histories and social network maps for targeted Uyghur individuals — exactly the intelligence required to track community leaders, journalists, and activists within diaspora communities. The combination of device-based and network-based surveillance creates intelligence profiles that can be shared with Chinese security services.
T1532 / T1533	Dual Exfiltration Methods — HTTP and SMTP	GoldenEagle demonstrates two distinct exfiltration channels: HTTP upload to C2 servers and SMTP email to attacker-controlled mailboxes, with innocuous subject lines and body content to avoid detection. DoubleAgent evolved from FTP-based exfiltration (early samples requiring victim credential authentication) to direct TCP socket upload without encryption in later versions. CarbonSteal's SMS command channel provides an additional out-of-band control path that does not require internet connectivity. This redundant exfiltration architecture ensures data collection can continue across varying connectivity environments.
T1436 / T1521	Shared Infrastructure C2 — Signing Certificate Fingerprinting	The four families are connected via shared C2 domains and servers, overlapping non-compromised signing certificates, and WHOIS registration patterns. Shared infrastructure between SilkBean and DoubleAgent was also observed communicating with CarbonSteal, HenBox, PhantomPlugin, Spywaller, and DarthPusher samples — establishing the full breadth of the mAPT operator's mobile surveillance toolkit. The use of non-compromised signing certificates (as opposed to stolen certificates) indicates active maintained certificate infrastructure by the same developer, rather than opportunistic certificate reuse.

Key Campaign Milestones

Initial DoubleAgent Deployment — Tibet and Early Uyghur Targeting 2013–2014

Citizen Lab reported in 2013 on a malware family targeting the Tibetan government in exile. Lookout later connected this sample to the DoubleAgent family, establishing 2013 as the earliest confirmed activity date for the cluster. Early DoubleAgent samples were distributed inside the Voxer walkie-talkie app and TalkBox voice messaging app — chosen to intercept voice communications within targeted communities. An ISIS news app was also used as a delivery vehicle, suggesting early attempts to reach Arab and Muslim audiences alongside the primary Uyghur and Tibetan targeting.

Strike Hard Campaign Alignment — Peak Malware Development 2015–2016

Lookout observed a dramatic spike in malware sample development and campaign activity in 2015–2016. This period directly follows China's "Strike Hard Campaign Against Violent Terrorism" (launched May 2014) and the 2015 enactment of the National Security Law and Counterterrorism Law. During this period, all four malware families were active and SilkBean reached its most comprehensive command-and-control capability. The correlation between Chinese domestic security policy escalation and mobile surveillance campaign intensification is one of the stronger circumstantial attribution indicators linking this operation to Chinese government mandates.

App Store Impersonation — islamapk[.]com and yurdax[.]com 2019

By 2019, DoubleAgent samples were masquerading as third-party Android app stores serving Uyghur-focused applications — specifically islamapk[.]com and yurdax[.]com. These fake stores positioned themselves as trusted community resources for the Uyghur diaspora seeking applications in their language, targeting the specific gap that exists when Google Play does not serve community-specific Uyghur applications. This social engineering pivot demonstrated the operator's understanding of how diaspora communities source applications outside mainstream stores.

Lookout Public Disclosure — Four Families Linked Jul 2020

Lookout published its comprehensive mAPT report on July 1, 2020, publicly connecting all four families for the first time. Lookout noted that C2 server infrastructure had begun shutting down in late 2019 and early 2020, suggesting the operators were aware of or anticipating discovery. However, GoldenEagle continued showing new samples post-disclosure, indicating the campaign was not fully abandoned. The report linked the infrastructure to GREF / APT15 via CarbonSteal's direct connection to GREF C2 infrastructure documented in 2018.

BadBazaar — Signal Plus Messenger and FlyGram 2021–2023

ESET documented the successor campaign in 2023: BadBazaar — a GREF-attributed malware family with significant code similarity to SilkBean and related families — was distributed as Signal Plus Messenger (a trojanized Signal client) and FlyGram (a trojanized Telegram client). Signal Plus Messenger was uploaded to Google Play on July 7, 2022, and installed more than 100 times before Google removed it on May 23, 2023. FlyGram was removed from Google Play sometime after January 2021. Both remained on the Samsung Galaxy Store. FlyGram was distributed via a Uyghur Telegram group — an identical community-targeting strategy to the original cluster. ESET detected BadBazaar infections in Australia, Brazil, Denmark, DRC, Germany, Hong Kong, Hungary, Lithuania, Netherlands, Poland, Portugal, Singapore, Spain, Ukraine, US, and Yemen.

Indicators of Compromise

ioc staleness note

Many C2 servers for the original four families began shutting down in late 2019 ahead of Lookout's disclosure. Static network IOCs from the 2020 report are high-staleness for the original families. Detection should prioritize behavioral indicators: anomalous permission requests from keyboard and community apps, unusual audio recording activity, SMS-triggered behavior, and communication with domains registered under patterns consistent with GREF infrastructure. The Lookout full technical PDF contains the complete IOC list including signing certificate fingerprints, which have longer utility than domain IOCs.

indicators of compromise — technical identifiers

silkbean sha-1 3da34aaf95ffcb5c5d36c2a9fc542c1b08c36d2f — "Syria News" titled SilkBean sample (Jun 2019, Uyghur-focused content)

silkbean pkg names com.google.pay; com.android.google.service — malicious packages mimicking legitimate Android service names

doubleagent c2 domains islamapk[.]com; yurdax[.]com — fake Uyghur-focused third-party app stores (2019 DoubleAgent campaign)

exfil methods GoldenEagle: HTTP and SMTP; DoubleAgent (late): TCP socket direct; CarbonSteal: audio via call intercept; SMS C2 control

badbazaar sha-1 E368DB837EDF340E47E85652D6159D6E90725B0D — BadBazaar sample (ESET 2023 report, code overlap with SilkBean/GoldenEagle)

badbazaar signal app Signal Plus Messenger — developer website signalplus[.]org; Google Play upload Jul 7 2022; removed May 23 2023

badbazaar telegram app FlyGram — trojanized Telegram client; removed Google Play post-Jan 6 2021; distributed via Uyghur Telegram groups

infrastructure link GREF 2018 C2 infrastructure directly linked to CarbonSteal samples — primary attribution linkage to APT15

full ioc reference Lookout full technical PDF (2020) — signing certificate fingerprints, C2 domains, full sample hashes for all four families

Mitigation & Defense

These mitigations are relevant both for organizations providing security support to Uyghur and Muslim diaspora communities, and for broader mobile security programs.

Install Applications Only from Official Stores — With Verification: No original SilkBean, DoubleAgent, CarbonSteal, or GoldenEagle samples were distributed through Google Play. BadBazaar demonstrated that even official stores are not immune — Signal Plus Messenger was live on Google Play for nearly a year. Verify developer identity through official channels before installing community-specific apps. For Uyghur and diaspora communities, specifically verify that keyboard, language, and community service apps come from verified developers with a documented presence in the community.
Review Application Permissions Critically: Surveillance apps request permissions inconsistent with their stated function. A keyboard application requesting microphone access, call log access, or the ability to answer phone calls should be treated with suspicion. Community-focused apps requesting access to contact lists, SMS messages, and other communication apps in addition to their core function represent an anomalous permission profile. Mobile device management (MDM) policies should flag applications with privilege escalation or unusual permission combinations for security review.
Disable Silent Call Acceptance and Unknown Number Call Handling: CarbonSteal's distinctive capability is silently answering calls from specific attacker-controlled numbers for ambient audio surveillance. Configure Android devices to not automatically accept calls from unknown numbers. Be aware that this capability allows an attacker to transform an infected device into a remote listening device without the user's awareness — the call is answered silently and no visual indication is given to the device owner.
SMS-Based Device Control Awareness: CarbonSteal can receive and execute commands via specially crafted SMS messages. This means the malware can be controlled even without a data connection. Unusual SMS messages containing non-human-readable content, or behavioral changes in a device following SMS receipt, may indicate SMS-based C2 activity. Security applications monitoring for anomalous SMS handling on Android can detect this pattern.
Support for High-Risk Communities: Uyghur, Tibetan, and diaspora Muslim communities are specifically and deliberately targeted by this surveillance cluster. Organizations providing digital security support to these communities should incorporate specific guidance on: avoiding unofficial app stores, verifying the legitimacy of community-specific applications before installation, securing communication tools against compromise, and monitoring for unexpected data exfiltration behavior on mobile devices. Citizen Lab and Access Now's Digital Security Helpline provide tailored support for high-risk communities.
Regular Security Review of Community-Serving Apps: The surveillance cluster specifically targets apps designed for community use — keyboards, music apps, news apps, messaging apps, religious content. Organizations in diaspora communities that develop or distribute apps for their communities should implement app integrity verification, sign all applications with verified certificates, and publish hashes publicly to enable community members to verify authenticity before installation.

analyst note

The SilkBean / GoldenEagle cluster is categorically different from the other nation-state actors in this hub in one important respect: its targets are not governments, military organizations, or critical infrastructure — they are an ethnic minority population, tracked globally as a direct extension of a domestic political and security policy. The surveillance mandate is not intelligence collection in the traditional espionage sense; it is population monitoring applied to a diaspora. The operational continuity across at least a decade, the geographic follow-through to wherever Uyghur communities settle (Turkey, Kazakhstan, Indonesia, Syria), and the deliberate targeting of community-specific tools (language keyboards, community music apps) reflect a systematic program rather than opportunistic espionage. The post-disclosure continuation via BadBazaar — reaching Google Play and Samsung Galaxy Store, achieving installations across 16 countries by 2023 — demonstrates that Lookout's 2020 exposure of the cluster did not end the program. GREF / APT15's combination of ethnic minority mobile surveillance and government/military desktop intrusion campaigns (UK government 2017, US Navy contractor 2018) under a single operator umbrella makes this one of the more unusually scoped Chinese APT mandates in the public record.

Sources & Further Reading

— end of profile