Confucius APT: Persistent Espionage in South Asia
- Suspected Origin
- India
- Motivation
- Espionage, Information Theft
- Aliases
- Confucius APT
- Target Sectors
- Government, Military, Defense, Critical Infrastructure, Business, High-Profile Individuals, Nuclear, Election Officials
- Associated Malware
- Hornbill, SunBird, ChatSpy, WooperStealer, AnonDoor, MessPrint, sctrls, remote-access-c3, sip_telephone, swissknife2, Sneepy, MY24, ApacheStealer, MadBoy, DeliveryBoy
Overview
Confucius, tracked as MITRE ATT&CK Group G0142, is a highly active and persistent cyber espionage group that has operated since at least 2013. The group is widely believed to be funded by India and linked to state-sponsored operations in the South Asian region, with a primary focus on intelligence gathering. Confucius principally targets military personnel, high-profile personalities, business persons, and government organizations, particularly within Pakistan and other South Asian nations. While security researchers have noted code and target similarities between Confucius and the Patchwork APT group, they are generally considered distinct entities, with Confucius often characterized by a more nuanced approach heavily relying on social engineering tactics. The group has consistently demonstrated a strong adaptability, regularly evolving its tactics, techniques, and procedures (TTPs), as well as its malware arsenal, to maintain operational effectiveness and evade detection.
Tactics & Techniques
Confucius employs a diverse array of tactics and techniques to achieve its cyber espionage objectives. Initial access frequently begins with sophisticated spear-phishing campaigns, where targets receive emails containing malicious attachments or links. These attachments often leverage weaponized Microsoft Office documents or malicious LNK files, sometimes exploiting known vulnerabilities such as CVE-2015-1641, CVE-2017-11882, and CVE-2018-0802. The group has been observed using bait documents related to current events or impersonating government agencies to entice victims into opening malicious files. Beyond traditional desktop targeting, Confucius also deploys Android-based spyware, often disguised as legitimate applications related to security services, local news, or religious themes, distributed via third-party app stores or malicious links. In some campaigns, they have even resorted to romance scams through fake chat applications to lure victims into installing their mobile malware.
Upon successful initial access, Confucius employs various execution techniques, including PowerShell, VBScript, and mshta.exe, to run malicious files and payloads. Recent campaigns have shown a shift towards chaining OLE objects, malicious scripts, LNK files, PowerShell loaders, and MSIL downloaders to deliver heavily obfuscated payloads. Persistence is typically achieved by dropping malicious files into startup folders or creating scheduled tasks on compromised hosts.
For data collection, Confucius utilizes specialized file stealers that examine system drives, including non-C drives, and USB devices, to exfiltrate documents and images with a wide range of extensions (e.g., .txt, .pdf, .jpg, .doc, .xls, .ppt). Their Android spyware is particularly intrusive, capable of collecting SMS messages, contacts, call logs, WhatsApp content, geolocation data, and even capturing screenshots, photos, and recording audio. Command and Control (C2) communications primarily occur over HTTP, with exfiltrated data often uploaded to cloud storage service accounts. More recent C2 infrastructure shows dynamic and parameterized requests with base64-encoded, custom-formatted strings for delivering modules and instructions, making detection and attribution more challenging.
Notable Campaigns
Confucius has been linked to numerous cyber espionage campaigns throughout its operational history. In 2018, a Pakistani government advisory warned of a desktop malware campaign attributed to Confucius, which used phishing emails impersonating government agencies to deliver malicious Microsoft Word exploits. The group also extensively utilized romance-themed chat applications, such as “Simple Chat Point,” “Secret Chat Point,” and “Tweety Chat,” in late 2017 and early 2018 to distribute Android surveillanceware.
In late 2022, Confucius reportedly targeted armed forces in Multan, Pakistan, using a phishing document named “IBO_Lodhran.doc” disguised as an “intelligence-based operation” report, to deliver a variant of their MessPrint Trojan. Activity in late 2024 and early to mid-2025 further demonstrates their ongoing operations and evolving tradecraft. In December 2024, the group employed a .ppsx infection chain in phishing emails targeting users in Pakistan. By March 2025, they shifted to using malicious .lnk files in campaigns, such as “Invoice_Jan25.pdf.lnk,” which ultimately delivered the WooperStealer. A significant development observed in August 2025 involved the deployment of a new Python-based backdoor, AnonDoor, also delivered via malicious .lnk files like “NLC.pdf.lnk.” The group was also associated with espionage activities under the names “Operation Tipu” and “Operation Angi” between 2020 and 2021.
Associated Malware & Tools
Confucius maintains a diverse and evolving set of custom and publicly available malware and tools:
- Windows Malware: The group has widely used various custom backdoors and stealers. Notable examples include WooperStealer, a credential theft tool; AnonDoor, a sophisticated modular Python-based backdoor framework capable of loading additional C# modules on-demand; MessPrint, a Trojan program that saw new variants in 2022 campaigns; and earlier custom backdoors such as sctrls, ByeBye Shell, remote-access-c3, and sip_telephone. File stealers like swissknife2 are designed to target specific files and can exfiltrate data from USB devices, potentially to compromise air-gapped environments. Other tools mentioned include Sneepy, MY24, and ApacheStealer.
- Android Spyware: For mobile targeting, Confucius has developed and utilized ChatSpy, SunBird, and Hornbill. These tools possess extensive surveillance capabilities, including scraping messaging app content, recording audio, taking screenshots, and logging calls and SMS.
- Loaders and Droppers: The group uses components like MadBoy as a loader for final payloads and DeliveryBoy as a dropper to release and persist second-stage loaders. They also incorporate generic MSIL downloaders into their infection chains.
Current Status
Confucius remains an highly active and continually evolving threat actor. Reports from 2025 highlight their ongoing campaigns and significant adaptations in their toolset and operational tradecraft. The group is actively refining its TTPs, moving towards more modular and obfuscated malware frameworks like AnonDoor to improve stealth and evade detection. Recent analysis indicates that Confucius developers are still engaged in component development, incorporating advanced anti-analysis techniques to complicate reverse engineering efforts. While some intelligence suggests the group may operate with an “outsourced” model, utilizing local contractors or individuals to initiate attacks, their objectives consistently align with state-sponsored intelligence gathering, particularly against Pakistan. Their persistent activity and continuous evolution underscore Confucius APT as a formidable and enduring cyber espionage threat in South Asia.
Worried this actor targets your sector?
Let's map your exposure before they find it themselves.
Book an advisory call