Confucius

Threat Actor updated a month ago (2024-11-29T13:51:43.295Z)
Download STIX
Preview STIX
Confucius is a threat actor primarily known for conducting cyberespionage campaigns against Pakistan since 2013. This group has been linked to various malicious activities, including the use of novel Android spyware Hornbill and SunBird to scrape call logs and WhatsApp messages of government authorities in Pakistan and Kashmir. The group's activities have been associated with the India-Pakistan conflict, and some reports suggest an alignment with Indian interests. Notably, Confucius was also implicated in targeting UK legislators pushing for stricter legislation against China. In 2022, BBC Monitoring and CASM Technology conducted an analysis of 691 international social media accounts used by China’s ambassadors, consular officials, the Ministry of Foreign Affairs (MFA), and Confucius Institutes. They found variations in the content pushed toward different regions. The Confucius Institutes, established as an arm of China's propaganda machine, aim to spread Mandarin Chinese language worldwide. By 2022, Georgia already hosted three such institutes, with the first one established at the Free University of Tbilisi in 2010. During investigations into attacks in 2023, a new threat actor named Mysterious Elephant was discovered. This group uses a set of malware families previously associated with other known threat actors, such as SideWinder and Confucius. According to cybersecurity firm Kaspersky and Knownsec 404 Team, Mysterious Elephant shares tooling and targeting overlaps with other actors like SideWinder, Patchwork, Bitter, and Confucius, most of which are assessed to be aligned with India. However, Mysterious Elephant exhibits a unique set of tactics, techniques, and procedures (TTPs), setting them apart from these other groups.
Description last updated: 2024-08-13T15:18:35.815Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Sidewinder is a possible alias for Confucius. Sidewinder, a threat actor with a history of malicious activities dating back to 2012, has been linked to a series of sophisticated cyber threats targeting maritime facilities in multiple countries and government officials in Nepal. The group, believed to have South Asian origins, is known for its u
3
Rover is a possible alias for Confucius. Rover is a malicious software (malware) that has the potential to exploit and damage computer systems or devices. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, Rover can steal personal information, disrupt operations, or even
3
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
China
Kaspersky
Spyware
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Rover Backdoor Malware is associated with Confucius. The Rover Backdoor is a type of malware, a harmful software designed to exploit and damage computer systems. This malicious software infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operationUnspecified
3
Source Document References
Information about the Confucius Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
Securelist
4 months ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
InfoSecurity-magazine
a year ago
CERT-EU
a year ago
Securelist
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
a year ago
CERT-EU
2 years ago
CERT-EU
2 years ago
CERT-EU
2 years ago
MITRE
2 years ago
Recorded Future
2 years ago
Fortinet
2 years ago