Confucius

Threat Actor updated 3 months ago (2024-08-13T16:17:54.941Z)

Download STIX

Preview STIX

Confucius is a threat actor primarily known for conducting cyberespionage campaigns against Pakistan since 2013. This group has been linked to various malicious activities, including the use of novel Android spyware Hornbill and SunBird to scrape call logs and WhatsApp messages of government authorities in Pakistan and Kashmir. The group's activities have been associated with the India-Pakistan conflict, and some reports suggest an alignment with Indian interests. Notably, Confucius was also implicated in targeting UK legislators pushing for stricter legislation against China. In 2022, BBC Monitoring and CASM Technology conducted an analysis of 691 international social media accounts used by China’s ambassadors, consular officials, the Ministry of Foreign Affairs (MFA), and Confucius Institutes. They found variations in the content pushed toward different regions. The Confucius Institutes, established as an arm of China's propaganda machine, aim to spread Mandarin Chinese language worldwide. By 2022, Georgia already hosted three such institutes, with the first one established at the Free University of Tbilisi in 2010. During investigations into attacks in 2023, a new threat actor named Mysterious Elephant was discovered. This group uses a set of malware families previously associated with other known threat actors, such as SideWinder and Confucius. According to cybersecurity firm Kaspersky and Knownsec 404 Team, Mysterious Elephant shares tooling and targeting overlaps with other actors like SideWinder, Patchwork, Bitter, and Confucius, most of which are assessed to be aligned with India. However, Mysterious Elephant exhibits a unique set of tactics, techniques, and procedures (TTPs), setting them apart from these other groups.

Description last updated: 2024-08-13T15:18:35.815Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.

Alias Description	Votes
Sidewinder is a possible alias for Confucius. Sidewinder, a threat actor with a history of malicious activities dating back to 2012, has been linked to a series of sophisticated cyber threats targeting maritime facilities in multiple countries and government officials in Nepal. The group, believed to have South Asian origins, is known for its u	3
Rover is a possible alias for Confucius. Rover is a malicious software (malware) that has the potential to exploit and damage computer systems or devices. It can infiltrate systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, Rover can steal personal information, disrupt operations, or even	3

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Backdoor

China

Kaspersky

Spyware

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

Alias Description	Association Type	Votes
The Rover Backdoor Malware is associated with Confucius. The Rover Backdoor is a type of malware, a harmful software designed to exploit and damage computer systems. This malicious software infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operation	Unspecified	3

Source Document References

Information about the Confucius Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securelist	3 months ago	Kaspersky report on APT trends in Q2 2024
CERT-EU	a year ago	DoNot Team's New Firebird Backdoor Hits Pakistan and Afghanistan
CERT-EU	a year ago	Connect the Dots on State-Sponsored Cyber Incidents - Targeting of government authorities in Pakistan and Kashmir
CERT-EU	a year ago	China Continues To Deepen Its Political Influence In Georgia – Analysis
CERT-EU	a year ago	British parliamentary researcher arrested on suspicion of spying for China
CERT-EU	a year ago	Kaspersky releases latest report on APT trends for 2023
CERT-EU	a year ago	Vital Role Of Think Tanks In Implementing China-ASEAN Comprehensive Strategic Partnership – Analysis
InfoSecurity-magazine	a year ago	APT “Mysterious Elephant” Emerges in Q2 2023, Kaspersky Reports
CERT-EU	a year ago	APT trends report Q2 2023 – GIXtools
Securelist	a year ago	APT trends report Q2 2023
CERT-EU	a year ago	The ‘Useful Idiots’ In Western Academia Are Really ‘Conscious Conspirators’ Serving China – OpEd
CERT-EU	a year ago	Technological independence key focus in Germany's China strategy
CERT-EU	a year ago	The Old Vine Registry, WordPress, Brave Browser, More: Saturday ResearchBuzz, July 1, 2023
CERT-EU	a year ago	Chinese internet companies, scholars gather at birthplace of Confucius to discuss how to build safe and reliable AI
CERT-EU	2 years ago	Links 01/05/2023: Mayday Mayday
CERT-EU	a year ago	Ingérences étrangères en France : la Chine se « russianise », selon un rapport parlementaire
CERT-EU	a year ago	China's interference is 'increasingly aggressive', French parliamentary report finds
MITRE	2 years ago	Confucius Uses Pegasus Spyware-related Lures to Target Pakistani Military
Recorded Future	2 years ago	1 Key for 1 Lock: The Chinese Communist Party’s Strategy for Targeted Propaganda
Fortinet	2 years ago	Are Internet Macros Dead or Alive? \| FortiGuard labs