{
	"id": "a71a9542-5f81-497e-8b26-9325b337a4e2",
	"created_at": "2026-04-06T00:10:06.939772Z",
	"updated_at": "2026-04-10T13:12:32.4621Z",
	"deleted_at": null,
	"sha1_hash": "12245c339863e8f1541abcb63cc88ac522863bc4",
	"title": "Threat Group Cards: A Threat Actor Encyclopedia",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 64164,
	"plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\nArchived: 2026-04-05 22:24:54 UTC\n APT group: Confucius\nNames\nConfucius (Palo Alto)\nG0142 (MITRE)\nCountry India\nMotivation Information theft and espionage\nFirst seen 2013\nDescription\n(Trend Micro) Confucius’ campaigns were reportedly active as early as 2013,\nabusing Yahoo! And Quora forums as part of their command-and-control (C\u0026C)\ncommunications. We stumbled upon Confucius, likely from South Asia, while\ndelving into Patchwork’s cyberespionage operations.\nConfucius’ operations include deploying bespoke backdoors and stealing files from\ntheir victim’s systems with tailored file stealers. The stolen files are then exfiltrated\nby abusing a cloud service provider. Some of these file stealers specifically target\nfiles from USB devices, probably to overcome air-gapped environments.\nThis group seems to be associated with Patchwork, Dropping Elephant.\nObserved\nCountries: Azerbaijan, Bangladesh, France, India, Indonesia, Iran, Italy, Mongolia,\nPakistan, Poland, Russia, Slovakia, Spain, Trinidad and Tobago, UAE, UK, Ukraine,\nUSA and most of the South and Southeast Asian countries, most of the Middle\nEastern countries and most of the African countries.\nTools used\nApacheStealer, Confucius, Hornbill, MY24, sctrls, remote-access-c3, sip_telephone,\nSunBird, swissknife2, Sneepy.\nOperations performed\nOct 2017\nIn recent weeks, Unit 42 has discovered three documents crafted to\nexploit the InPage program. InPage is a word processor program that\nsupports languages such as Urdu, Persian, Pashto, and Arabic. The\nthree InPage exploit files are linked through their use of very similar\nshellcode, which suggests that either the same actor is behind these\nattacks, or the attackers have access to a shared builder.\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=5cfcb0a9-c819-4cc2-ad43-36fe47aca3d4\nPage 1 of 2\n\nLate 2017\nProbing Confucius’ infrastructure, we came across websites offering\nWindows and Android chat applications, most likely iterations of its\npredecessor, Simple Chat Point: Secret Chat Point, and Tweety Chat.\nWe are admittedly uncertain of the extent — and success — of their\nuse, but it’s one of the ingredients of the group’s operations.\nMay 2018\nDuring their previous campaign, we found Confucius using fake\nromance websites to entice victims into installing malicious Android\napplications. This time, the threat actor seems to have a new modus\noperandi, setting up two new websites and new payloads with which to\ncompromise its targets.\nAug 2021\nConfucius Uses Pegasus Spyware-related Lures to Target Pakistani\nMilitary\nInformation\nMITRE ATT\u0026CK Last change to this card: 16 August 2025\nDownload this actor card in PDF or JSON format\nSource: https://apt.etda.or.th/cgi-bin/showcard.cgi?u=5cfcb0a9-c819-4cc2-ad43-36fe47aca3d4\nhttps://apt.etda.or.th/cgi-bin/showcard.cgi?u=5cfcb0a9-c819-4cc2-ad43-36fe47aca3d4\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://apt.etda.or.th/cgi-bin/showcard.cgi?u=5cfcb0a9-c819-4cc2-ad43-36fe47aca3d4"
	],
	"report_names": [
		"showcard.cgi?u=5cfcb0a9-c819-4cc2-ad43-36fe47aca3d4"
	],
	"threat_actors": [
		{
			"id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4",
			"created_at": "2025-08-07T02:03:25.123407Z",
			"updated_at": "2026-04-10T02:00:03.668131Z",
			"deleted_at": null,
			"main_name": "ZINC EMERSON",
			"aliases": [
				"Confucius ",
				"Dropping Elephant ",
				"EHDevel ",
				"Manul ",
				"Monsoon ",
				"Operation Hangover ",
				"Patchwork ",
				"TG-4410 ",
				"Viceroy Tiger "
			],
			"source_name": "Secureworks:ZINC EMERSON",
			"tools": [
				"Enlighten Infostealer",
				"Hanove",
				"Mac OS X KitM Spyware",
				"Proyecto2",
				"YTY Backdoor"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "7a8dbc5e-51a8-437a-8540-7dcb1cc110b8",
			"created_at": "2022-10-25T16:07:23.482856Z",
			"updated_at": "2026-04-10T02:00:04.627414Z",
			"deleted_at": null,
			"main_name": "Confucius",
			"aliases": [
				"G0142"
			],
			"source_name": "ETDA:Confucius",
			"tools": [
				"ApacheStealer",
				"ByeByeShell",
				"ChatSpy",
				"Confucius",
				"MY24",
				"Sneepy",
				"remote-access-c3",
				"sctrls",
				"sip_telephone",
				"swissknife2"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "7ea1e0de-53b9-4059-802f-485884180701",
			"created_at": "2022-10-25T16:07:24.04846Z",
			"updated_at": "2026-04-10T02:00:04.84985Z",
			"deleted_at": null,
			"main_name": "Patchwork",
			"aliases": [
				"APT-C-09",
				"ATK 11",
				"Capricorn Organisation",
				"Chinastrats",
				"Dropping Elephant",
				"G0040",
				"Maha Grass",
				"Quilted Tiger",
				"TG-4410",
				"Thirsty Gemini",
				"Zinc Emerson"
			],
			"source_name": "ETDA:Patchwork",
			"tools": [
				"AndroRAT",
				"Artra Downloader",
				"ArtraDownloader",
				"AutoIt backdoor",
				"BADNEWS",
				"BIRDDOG",
				"Bahamut",
				"Bozok",
				"Bozok RAT",
				"Brute Ratel",
				"Brute Ratel C4",
				"CinaRAT",
				"Crypta",
				"ForeIT",
				"JakyllHyde",
				"Loki",
				"Loki.Rat",
				"LokiBot",
				"LokiPWS",
				"NDiskMonitor",
				"Nadrac",
				"PGoShell",
				"PowerSploit",
				"PubFantacy",
				"Quasar RAT",
				"QuasarRAT",
				"Ragnatela",
				"Ragnatela RAT",
				"SocksBot",
				"TINYTYPHON",
				"Unknown Logger",
				"WSCSPL",
				"Yggdrasil"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "c81067e0-9dcb-4e3f-abb0-80126519c5b6",
			"created_at": "2022-10-25T15:50:23.285448Z",
			"updated_at": "2026-04-10T02:00:05.282202Z",
			"deleted_at": null,
			"main_name": "Patchwork",
			"aliases": [
				"Hangover Group",
				"Dropping Elephant",
				"Chinastrats",
				"Operation Hangover"
			],
			"source_name": "MITRE:Patchwork",
			"tools": [
				"NDiskMonitor",
				"QuasarRAT",
				"BackConfig",
				"TINYTYPHON",
				"AutoIt backdoor",
				"PowerSploit",
				"BADNEWS",
				"Unknown Logger"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "caf95a6f-2705-4293-9ee1-6b7ed9d9eb4c",
			"created_at": "2022-10-25T15:50:23.472432Z",
			"updated_at": "2026-04-10T02:00:05.352882Z",
			"deleted_at": null,
			"main_name": "Confucius",
			"aliases": [
				"Confucius",
				"Confucius APT"
			],
			"source_name": "MITRE:Confucius",
			"tools": [
				"WarzoneRAT"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "2b29dd16-a06f-4830-81a1-365443bc54b8",
			"created_at": "2023-01-06T13:46:38.460047Z",
			"updated_at": "2026-04-10T02:00:02.983931Z",
			"deleted_at": null,
			"main_name": "QUILTED TIGER",
			"aliases": [
				"Chinastrats",
				"Sarit",
				"APT-C-09",
				"ZINC EMERSON",
				"ATK11",
				"G0040",
				"Orange Athos",
				"Thirsty Gemini",
				"Dropping Elephant"
			],
			"source_name": "MISPGALAXY:QUILTED TIGER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434206,
	"ts_updated_at": 1775826752,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/12245c339863e8f1541abcb63cc88ac522863bc4.pdf",
		"text": "https://archive.orkl.eu/12245c339863e8f1541abcb63cc88ac522863bc4.txt",
		"img": "https://archive.orkl.eu/12245c339863e8f1541abcb63cc88ac522863bc4.jpg"
	}
}