1. Home
  2. Groups
  3. Confucius

Confucius

Confucius is a cyber espionage group that has primarily targeted military personnel, high-profile personalities, business persons, and government organizations in South Asia since at least 2013. Security researchers have noted similarities between Confucius and Patchwork, particularly in their respective custom malware code and targets.[1][2][3]

ID: G0142
Associated Groups: Confucius APT
Version: 1.1
Created: 26 December 2021
Last Modified: 16 April 2025
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1547 .001 启动或登录自动启动执行: Registry Run Keys / Startup Folder

Confucius has dropped malicious files into the startup folder %AppData%\Microsoft\Windows\Start Menu\Programs\Startup on a compromised host in order to maintain persistence.[3]
Enterprise T1059 .001 命令与脚本解释器: PowerShell

Confucius has used PowerShell to execute malicious files and payloads.[2]
.005 命令与脚本解释器: Visual Basic

Confucius has used VBScript to execute malicious code.[1]
Enterprise T1203 客户端执行漏洞利用

Confucius has exploited Microsoft Office vulnerabilities, including CVE-2015-1641, CVE-2017-11882, and CVE-2018-0802.[3][1]
Enterprise T1071 .001 应用层协议: Web Protocols

Confucius has used HTTP for C2 communications.[3]
Enterprise T1083 文件和目录发现

Confucius has used a file stealer that checks the Document, Downloads, Desktop, and Picture folders for documents and images with specific extensions.[2]
Enterprise T1221 模板注入

Confucius has used a weaponized Microsoft Word document with an embedded RTF exploit.[3]
Enterprise T1204 .001 用户执行: Malicious Link

Confucius has lured victims into clicking on a malicious link sent through spearphishing.[2]
.002 用户执行: Malicious File

Confucius has lured victims to execute malicious attachments included in crafted spearphishing emails related to current topics.[3]
Enterprise T1218 .005 系统二进制代理执行: Mshta

Confucius has used mshta.exe to execute malicious VBScript.[1]

Enterprise T1082 系统信息发现

Confucius has used a file stealer that can examine system drives, including those other than the C drive.[2]
Enterprise T1119 自动化收集

Confucius has used a file stealer to steal documents and images with the following extensions: txt, pdf, png, jpg, doc, xls, xlm, odp, ods, odt, rtf, ppt, xlsx, xlsm, docx, pptx, and jpeg.[2]
Enterprise T1583 .006 获取基础设施: Web Services

Confucius has obtained cloud storage service accounts to host stolen data.[1]
Enterprise T1105 输入工具传输

Confucius has downloaded additional files and payloads onto a compromised host following initial access.[3][2]
Enterprise T1041 通过C2信道渗出

Confucius has exfiltrated stolen files to its C2 server.[2]
Enterprise T1567 .002 通过网络服务渗出: Exfiltration to Cloud Storage

Confucius has exfiltrated victim data to cloud storage service accounts.[1]
Enterprise T1566 .001 钓鱼: Spearphishing Attachment

Confucius has crafted and sent victims malicious attachments to gain initial access.[3]
.002 钓鱼: Spearphishing Link

Confucius has sent malicious links to victims through email campaigns.[2]
Enterprise T1053 .005 预定任务/作业: Scheduled Task

Confucius has created scheduled tasks to maintain persistence on a compromised host.[2]

Software

ID Name References Techniques
S1077 Hornbill [4] Abuse Elevation Control Mechanism: Device Administrator Permissions, Access Notifications, Application Layer Protocol: Web Protocols, Audio Capture, Data from Local System, Exfiltration Over C2 Channel, File and Directory Discovery, Hide Artifacts: User Evasion, Indicator Removal on Host: File Deletion, Location Tracking, Masquerading: Match Legitimate Name or Location, Protected User Data: Contact List, Protected User Data: Call Log, Screen Capture, Software Discovery, Stored Application Data, System Information Discovery, System Network Configuration Discovery, System Network Configuration Discovery: Internet Connection Discovery, System Network Configuration Discovery: Wi-Fi Discovery, Video Capture
S1082 Sunbird [4] Abuse Elevation Control Mechanism: Device Administrator Permissions, Archive Collected Data, Audio Capture, Command and Scripting Interpreter: Unix Shell, Data from Local System, Exfiltration Over C2 Channel, Ingress Tool Transfer, Location Tracking, Protected User Data: Call Log, Protected User Data: Contact List, Protected User Data: Calendar Entries, Screen Capture, Software Discovery, Stored Application Data, System Information Discovery, System Network Configuration Discovery, Video Capture
S0670 WarzoneRAT [5][3] Rootkit, 事件触发执行: Component Object Model Hijacking, 从密码存储中获取凭证: Credentials from Web Browsers, 从本地系统获取数据, 代理, 修改注册表, 加密通道: Symmetric Cryptography, 反混淆/解码文件或信息, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: PowerShell, 命令与脚本解释器: Windows Command Shell, 妨碍防御: Disable or Modify Tools, 文件和目录发现, 本机API, 模板注入, 滥用权限提升控制机制: Bypass User Account Control, 用户执行: Malicious File, 系统信息发现, 视频捕获, 输入工具传输, 输入捕获: Keylogging, 进程发现, 进程注入, 远程服务: Remote Desktop Protocol, 远程服务: VNC, 通过C2信道渗出, 钓鱼: Spearphishing Attachment, 隐藏伪装, 隐藏伪装: Hidden Window, 非应用层协议

References

  1. Lunghi, D and Horejsi, J. (2018, February 13). Deciphering Confucius: A Look at the Group's Cyberespionage Operations. Retrieved December 26, 2021.
  2. Lunghi, D. (2021, August 17). Confucius Uses Pegasus Spyware-related Lures to Target Pakistani Military. Retrieved December 26, 2021.
  3. Uptycs Threat Research Team. (2021, January 12). Confucius APT deploys Warzone RAT. Retrieved December 17, 2021.
  1. Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.
  2. Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021.