ETDA ThaiCERT
Report
Search
Home > List all groups > Confucius

Threat Group Cards: A Threat Actor Encyclopedia

Permanent link APT group: Confucius

NamesConfucius (Palo Alto)
CountryIndia India
MotivationInformation theft and espionage
First seen2013
Description(Trend Micro) Confucius’ campaigns were reportedly active as early as 2013, abusing Yahoo! And Quora forums as part of their command-and-control (C&C) communications. We stumbled upon Confucius, likely from South Asia, while delving into Patchwork’s cyberespionage operations.

Confucius’ operations include deploying bespoke backdoors and stealing files from their victim’s systems with tailored file stealers. The stolen files are then exfiltrated by abusing a cloud service provider. Some of these file stealers specifically target files from USB devices, probably to overcome air-gapped environments.

This group seems to be associated with Patchwork, Dropping Elephant.
ObservedCountries: Mongolia, Pakistan, Trinidad and Tobago, Ukraine and most of the South and Southeast Asian countries, most of the Middle Eastern countries and most of the African countries.
Tools usedApacheStealer, Confucius, MY24, sctrls, remote-access-c3, sip_telephone, swissknife2, Sneepy.
Operations performedOct 2017In recent weeks, Unit 42 has discovered three documents crafted to exploit the InPage program. InPage is a word processor program that supports languages such as Urdu, Persian, Pashto, and Arabic. The three InPage exploit files are linked through their use of very similar shellcode, which suggests that either the same actor is behind these attacks, or the attackers have access to a shared builder.
<https://unit42.paloaltonetworks.com/unit42-recent-inpage-exploits-lead-multiple-malware-families/>
Late 2017Probing Confucius’ infrastructure, we came across websites offering Windows and Android chat applications, most likely iterations of its predecessor, Simple Chat Point: Secret Chat Point, and Tweety Chat. We are admittedly uncertain of the extent — and success — of their use, but it’s one of the ingredients of the group’s operations.
<https://blog.trendmicro.com/trendlabs-security-intelligence/deciphering-confucius-cyberespionage-operations/>
May 2018During their previous campaign, we found Confucius using fake romance websites to entice victims into installing malicious Android applications. This time, the threat actor seems to have a new modus operandi, setting up two new websites and new payloads with which to compromise its targets.
<https://blog.trendmicro.com/trendlabs-security-intelligence/confucius-update-new-tools-and-techniques-further-connections-with-patchwork/>
Information<https://unit42.paloaltonetworks.com/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/>
<https://documents.trendmicro.com/assets/research-deciphering-confucius-cyberespionage-operations.pdf>

Last change to this card: 15 April 2020

Download this actor card in PDF or JSON format

Previous: Comment Crew, APT 1
Next: CopyKittens, Slayer Kitten

Thailand Computer Emergency Response Team (ThaiCERT)
Electronic Transactions Development Agency

Follow us on

Facebook Twitter

Report incidents

Telephone +66 (0)2-123-1234
E-mail report@thaicert.or.th
PGP Download PGP key