WeChat as a Trap: Quiet Chinese IT Firm Revealed as a Digital Spy Hub
On January 29, the international group Intelligence Online, which monitors the activities of intelligence agencies worldwide, uncovered a connection between a Chinese company based in Chengdu and a series of cyberattacks targeting Uyghurs and Tibetans. The firm turned out to be a contractor for China’s Ministry of Public Security.
At first glance, Sichuan Dianke Network Security Technology (UPSEC) and its subsidiary Chengdu Anmo Technology appear to be ordinary tech companies: 150 engineers, 90% of whom are engaged in research and development. The company presents itself as a modest service provider for the police and a partner to academic institutions.
However, behind this façade lies a developer of powerful hacking tools. Founded in 2018, UPSEC is closely linked to the hacker group Earth Minotaur, both technically and through shared personnel. This group was previously identified by cybersecurity experts at Trend Micro.
Earth Minotaur and the MOONSHINE Toolkit
In December 2024, Trend Micro released a detailed report on how Earth Minotaur uses the MOONSHINE toolkit to hack computers. With this toolkit, hackers deploy a backdoor called DarkNimbus. The program targets users of the WeChat messenger on Android and Windows devices, focusing primarily on ethnic minorities.
DarkNimbus deeply infiltrates infected devices, collecting personal data. It copies contact lists, call logs, SMS messages, clipboard contents, browser bookmarks, and conversations from various messengers. Additionally, it can record phone calls, take photos, capture screenshots, and execute any command on the device.
Trend Micro researchers were able to find victims’ IP addresses in unsecured server logs used by the hacker group. Most of the targeted devices were located in China, but traces also led to North America and Europe, especially France. To infect devices outside China, hackers used phishing links that led to pages featuring Tibetan and Uyghur music videos.
Technical Evidence Linking UPSEC to DarkNimbus
Intelligence Online managed to link DarkNimbus to UPSEC through several technical clues. By analyzing the IP addresses used by the malware, analysts traced them to the domain “aninfosec[.]cn,” which is owned by Chengdu Anmo Technology. Experts also discovered that DarkNimbus communicates with the domain “git[.]upsec[.]net,” which belongs to UPSEC and leads to its official website.
UPSEC does not hide its connections with the Ministry of Public Security and hundreds of its divisions across China. The company is involved in both data protection and offensive operations, operating under a business-education integration model. This means organizations gain access to academic research and talented students, while universities benefit from real-world projects and technologies. UPSEC has established such a partnership with the Public Security Technology Research Center at the University of Electronic Science and Technology of China, resulting in the creation of two research labs: Kongming and Yufeng Security Labs.
Chengdu: A Hub for Cyber Operations
UPSEC is located in Chengdu’s high-tech zone, near Sichuan Silence Information Technology Co., which was sanctioned last month by the U.S. Office of Foreign Assets Control (OFAC). Also nearby is Chengdu 404 Network Technology, which the U.S. Department of Justice has linked to the APT41 group (also known as Barium, Winnti, Wicked Panda, and Double Dragon).
Chengdu is also home to i-Soon, a company specializing in cyberattacks that suffered a data leak early last year. When Intelligence Online journalists sought comments on their investigation, UPSEC ignored all requests.
Conclusion: Tight Integration of State, Academia, and Private Sector
The investigation highlights how closely intertwined private tech companies, academic institutions, and government agencies are in China, working together to develop and deploy tools for surveillance and control in cyberspace.