3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Confucius

Confucius

ID: 286bd9ea520691c9f2018dc96db3ce3128112
Cybercrime State-Sponsored
Threat types: Intrusion, Espionage, Malware
Unknown UNKNOWN
Updated: 2026-01-13
Created: 2025-10-22
Progress: 40% Completeness: 36% Freshness: 50%
Operation zone: UNKNOWN
Aliases Limited alias preview
APT-Confucius Confucius APT Co**********
Showing 2 of 3 aliases in free preview.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: medium
Actor Techniques page ATT&CK® Diagram

Confucius is a cyber espionage group that has primarily targeted military personnel, high-profile personalities, business persons, and government organizations in South Asia since at least 2013. Security researchers have noted similarities between Confucius and Patchwork, particularly in their respective custom malware code and targets. Ref: https://attack.mitre.org/groups/G0142/


Technique Technique name Tactics Evidence
T1053.005 Scheduled Task TA0002 TA0003 TA0004
  • Scheduled Task/Job: Scheduled Task - Confucius has created scheduled tasks to maintain persistence on a compromised host. · ref
T1059.001 PowerShell TA0002
  • Command and Scripting Interpreter: PowerShell - Confucius has used PowerShell to execute malicious files and payloads. · ref
T1059.005 Visual Basic TA0002
  • Command and Scripting Interpreter: Visual Basic - Confucius has used VBScript to execute malicious code. · ref
T1071.001 Web Protocols TA0011
  • Application Layer Protocol: Web Protocols - Confucius has used HTTP for C2 communications. · ref
T1204.001 Malicious Link TA0002
  • User Execution: Malicious Link - Confucius has lured victims into clicking on a malicious link sent through spearphishing. · ref
T1204.002 Malicious File TA0002
  • User Execution: Malicious File - Confucius has lured victims to execute malicious attachments included in crafted spearphishing emails related to current topics. · ref
T1218.005 Mshta TA0005
  • System Binary Proxy Execution: Mshta - Confucius has used mshta.exe to execute malicious VBScript. · ref
T1547.001 Registry Run Keys / Startup Folder TA0003 TA0004
  • Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder - Confucius has dropped malicious files into the startup folder %AppData%\Microsoft\Windows\Start Menu\Programs\Startup on a compromised host in order to maintain persistence. · ref
T1566.001 Spearphishing Attachment TA0001
  • Phishing: Spearphishing Attachment - Confucius has crafted and sent victims malicious attachments to gain initial access. · ref
T1566.002 Spearphishing Link TA0001
  • Phishing: Spearphishing Link - Confucius has sent malicious links to victims through email campaigns. · ref
T1567.002 Exfiltration to Cloud Storage TA0010
  • Exfiltration Over Web Service: Exfiltration to Cloud Storage - Confucius has exfiltrated victim data to cloud storage service accounts. · ref
T1583.006 Web Services TA0042
  • Acquire Infrastructure: Web Services - Confucius has obtained cloud storage service accounts to host stolen data. · ref
Strategic Intelligence
Limited preview
No content.
Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
No content yet.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.