Confucius

Threat Actor updated 25 days ago (2024-08-13T16:17:54.941Z)

Download STIX

Preview STIX

Confucius is a threat actor primarily known for conducting cyberespionage campaigns against Pakistan since 2013. This group has been linked to various malicious activities, including the use of novel Android spyware Hornbill and SunBird to scrape call logs and WhatsApp messages of government authorities in Pakistan and Kashmir. The group's activities have been associated with the India-Pakistan conflict, and some reports suggest an alignment with Indian interests. Notably, Confucius was also implicated in targeting UK legislators pushing for stricter legislation against China. In 2022, BBC Monitoring and CASM Technology conducted an analysis of 691 international social media accounts used by China’s ambassadors, consular officials, the Ministry of Foreign Affairs (MFA), and Confucius Institutes. They found variations in the content pushed toward different regions. The Confucius Institutes, established as an arm of China's propaganda machine, aim to spread Mandarin Chinese language worldwide. By 2022, Georgia already hosted three such institutes, with the first one established at the Free University of Tbilisi in 2010. During investigations into attacks in 2023, a new threat actor named Mysterious Elephant was discovered. This group uses a set of malware families previously associated with other known threat actors, such as SideWinder and Confucius. According to cybersecurity firm Kaspersky and Knownsec 404 Team, Mysterious Elephant shares tooling and targeting overlaps with other actors like SideWinder, Patchwork, Bitter, and Confucius, most of which are assessed to be aligned with India. However, Mysterious Elephant exhibits a unique set of tactics, techniques, and procedures (TTPs), setting them apart from these other groups.

Description last updated: 2024-08-13T15:18:35.815Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Sidewinder	3	Sidewinder is a threat actor group that has been active since at least 2012, with possible origins in South Asia. The group has a history of malicious activities and has been linked to a variety of cyber threats, including the use of the Nim backdoor payload. Sidewinder has targeted entities in mult
Rover	3	Rover is a malicious software, also known as malware, that is designed to exploit and damage computer systems or devices. The term "rover" in this context seems unrelated to the various uses of the term in the information provided, such as the Mars Rover program, the Range Rover vehicle, or the Jagu

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Backdoor

China

Kaspersky

Spyware

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
Rover Backdoor	Unspecified	3	The Rover Backdoor is a type of malware, a harmful software designed to exploit and damage computer systems. This malicious software infiltrates systems through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can steal personal information, disrupt operation

Source Document References

Information about the Confucius Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Securelist	25 days ago	Kaspersky report on APT trends in Q2 2024
CERT-EU	10 months ago	DoNot Team's New Firebird Backdoor Hits Pakistan and Afghanistan
CERT-EU	a year ago	Connect the Dots on State-Sponsored Cyber Incidents - Targeting of government authorities in Pakistan and Kashmir
CERT-EU	a year ago	China Continues To Deepen Its Political Influence In Georgia – Analysis
CERT-EU	a year ago	British parliamentary researcher arrested on suspicion of spying for China
CERT-EU	a year ago	Kaspersky releases latest report on APT trends for 2023
CERT-EU	a year ago	Vital Role Of Think Tanks In Implementing China-ASEAN Comprehensive Strategic Partnership – Analysis
InfoSecurity-magazine	a year ago	APT “Mysterious Elephant” Emerges in Q2 2023, Kaspersky Reports
CERT-EU	a year ago	APT trends report Q2 2023 – GIXtools
Securelist	a year ago	APT trends report Q2 2023
CERT-EU	a year ago	The ‘Useful Idiots’ In Western Academia Are Really ‘Conscious Conspirators’ Serving China – OpEd
CERT-EU	a year ago	Technological independence key focus in Germany's China strategy
CERT-EU	a year ago	The Old Vine Registry, WordPress, Brave Browser, More: Saturday ResearchBuzz, July 1, 2023
CERT-EU	a year ago	Chinese internet companies, scholars gather at birthplace of Confucius to discuss how to build safe and reliable AI
CERT-EU	a year ago	Links 01/05/2023: Mayday Mayday
CERT-EU	a year ago	Ingérences étrangères en France : la Chine se « russianise », selon un rapport parlementaire
CERT-EU	a year ago	China's interference is 'increasingly aggressive', French parliamentary report finds
MITRE	2 years ago	Confucius Uses Pegasus Spyware-related Lures to Target Pakistani Military
Recorded Future	2 years ago	1 Key for 1 Lock: The Chinese Communist Party’s Strategy for Targeted Propaganda
Fortinet	a year ago	Are Internet Macros Dead or Alive? \| FortiGuard labs