← threatfilter.dev / all groups / Confucius
Confucius
Also known as: Confucius APT
Overview
Confucius is a cyber espionage group that has primarily targeted military personnel, high-profile personalities, business persons, and government organizations in South Asia since at least 2013. Security researchers have noted similarities between Confucius and Patchwork, particularly in their respective custom malware code and targets.
Capabilities
- Exploitation of public-facing / client applications — ATT&CK T1203
TTPs — 19 techniques across 9 tactics
Resource Development
-
T1583.006Web Services
Initial Access
-
T1566.001Spearphishing Attachment -
T1566.002Spearphishing Link
Execution
-
T1053.005Scheduled Task -
T1059.001PowerShell -
T1059.005Visual Basic -
T1203Exploitation for Client Execution -
T1204.001Malicious Link -
T1204.002Malicious File
Persistence
-
T1547.001Registry Run Keys / Startup Folder
Stealth
-
T1218.005Mshta -
T1221Template Injection
Discovery
-
T1083File and Directory Discovery -
T1680Local Storage Discovery
Collection
-
T1119Automated Collection
Command and Control
-
T1071.001Web Protocols -
T1105Ingress Tool Transfer
Exfiltration
-
T1041Exfiltration Over C2 Channel -
T1567.002Exfiltration to Cloud Storage
Tools & malware (1)
WarzoneRAT
Reporting (3)
- Confucius Uses Pegasus Spyware-related Lures to Target Pakistani Military — Lunghi, D
- Confucius APT deploys Warzone RAT — Uptycs Threat Research Team
- Deciphering Confucius: A Look at the Group's Cyberespionage Operations — Lunghi, D and Horejsi, J