{ "id": "7c4bab2e-b815-457c-8254-a541e74bd743", "created_at": "2026-04-06T00:11:40.424873Z", "updated_at": "2026-04-10T13:11:37.623384Z", "deleted_at": null, "sha1_hash": "120dc1b936896ca78299aa0cc5e02b2ecd8d38d7", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 47920, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 17:54:58 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool sip_telephone\r\n Tool: sip_telephone\r\nNames sip_telephone\r\nCategory Malware\r\nType Reconnaissance\r\nDescription\r\n(Trend Micro) sip_telephone, also named in the PDB path as such, uses Windows\r\nManagement Instrumentation (WMI) to get the AV installed in the machine, its computer\r\nname, and processor ID, among others. It performs tasks in an endless loop, with 100 seconds\r\nof sleep time.\r\nInformation\r\n\u003chttps://documents.trendmicro.com/assets/research-deciphering-confucius-cyberespionage-operations.pdf\u003e\r\nLast change to this tool card: 20 April 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool sip_telephone\r\nChanged Name Country Observed\r\nAPT groups\r\n  Confucius 2013-Aug 2021  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2024b85f-ceda-41af-b11a-85d77d136e85\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2024b85f-ceda-41af-b11a-85d77d136e85\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=2024b85f-ceda-41af-b11a-85d77d136e85" ], "report_names": [ "listgroups.cgi?u=2024b85f-ceda-41af-b11a-85d77d136e85" ], "threat_actors": [ { "id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4", "created_at": "2025-08-07T02:03:25.123407Z", "updated_at": "2026-04-10T02:00:03.668131Z", "deleted_at": null, "main_name": "ZINC EMERSON", "aliases": [ "Confucius ", "Dropping Elephant ", "EHDevel ", "Manul ", "Monsoon ", "Operation Hangover ", "Patchwork ", "TG-4410 ", "Viceroy Tiger " ], "source_name": "Secureworks:ZINC EMERSON", "tools": [ "Enlighten Infostealer", "Hanove", "Mac OS X KitM Spyware", "Proyecto2", "YTY Backdoor" ], "source_id": "Secureworks", "reports": null }, { "id": "7a8dbc5e-51a8-437a-8540-7dcb1cc110b8", "created_at": "2022-10-25T16:07:23.482856Z", "updated_at": "2026-04-10T02:00:04.627414Z", "deleted_at": null, "main_name": "Confucius", "aliases": [ "G0142" ], "source_name": "ETDA:Confucius", "tools": [ "ApacheStealer", "ByeByeShell", "ChatSpy", "Confucius", "MY24", "Sneepy", "remote-access-c3", "sctrls", "sip_telephone", "swissknife2" ], "source_id": "ETDA", "reports": null }, { "id": "caf95a6f-2705-4293-9ee1-6b7ed9d9eb4c", "created_at": "2022-10-25T15:50:23.472432Z", "updated_at": "2026-04-10T02:00:05.352882Z", "deleted_at": null, "main_name": "Confucius", "aliases": [ "Confucius", "Confucius APT" ], "source_name": "MITRE:Confucius", "tools": [ "WarzoneRAT" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434300, "ts_updated_at": 1775826697, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/120dc1b936896ca78299aa0cc5e02b2ecd8d38d7.pdf", "text": "https://archive.orkl.eu/120dc1b936896ca78299aa0cc5e02b2ecd8d38d7.txt", "img": "https://archive.orkl.eu/120dc1b936896ca78299aa0cc5e02b2ecd8d38d7.jpg" } }