{ "id": "cca75621-1d6b-42d5-8c95-b71ea0997409", "created_at": "2026-04-06T00:10:06.216585Z", "updated_at": "2026-04-10T03:33:38.126142Z", "deleted_at": null, "sha1_hash": "1a22f559ea8a2a75e220181cd8baa59c9df4d94a", "title": "Confucius Update: New Techniques, More Patchwork Links", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 89185, "plain_text": "Confucius Update: New Techniques, More Patchwork Links\r\nBy By: Daniel Lunghi, Jaromir Horejsi May 23, 2018 Read time: 7 min (1974 words)\r\nPublished: 2018-05-23 · Archived: 2026-04-05 13:55:13 UTC\r\nUpdated the appendix on August 30, 2018 to fix formatting and add new information.\r\nBack in February, we noted the similarities between the Patchwork and Confucius groups and found that, in\r\naddition to the similarities in their malware code, both groups primarily went after targets in South Asia. During\r\nthe months that followed in which we tracked Confucius’ activities, we found that they were still aiming for\r\nPakistani targets.\r\nDuring their previous campaign, we found Confucius using fake romance websites to entice victims into installing\r\nmalicious Android applications. This time, the threat actor seems to have a new modus operandi, setting up two\r\nnew websites and new payloads with which to compromise its targets.\r\nFake Android porn app and Windows chat applications as lures\r\nThe first website uses adult content as a lure, via an Android application called Fuddi Duniya, which links to a\r\nwebsite that displays nude pictures every day. The app’s APK is linked directly from the homepage, with a\r\ndisclaimer stating that Google Play does not allow pornography in their store.\r\nFigure 1: fake website with a link to download the Fuddi Duniya app. The displayed Urdu text could be translated\r\nas “Real women, girls, and housewives || Download the app now More than thousands of women app.”\r\nThe app’s features are similar to the previous malicious Android application, such as having the ability to record\r\naudio and steal SMS, accounts, contacts and certain file types from specific directories. In addition, the\r\napplication now retrieves the last known location and uses the development platform Google Firebase to upload\r\nthe stolen content.\r\nFigure 2: Stealing function excerpt from Fuddi Duniya Android app\r\nThe second fake website is again related to chat, with a background suggesting that it can help find users a partner.\r\nInitially, a link to a malicious Android application hosted on Google Play that shared the same features as the\r\napplication described above was present. But after we reached out to Google while carrying out the research, the\r\napplication was removed from the store and the link was removed from the fake website.\r\nFigure 3. Screenshot of the second fake website\r\nFigure 3. Screenshot of the second fake website\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/confucius-update-new-tools-and-techniques-further-connections-with-patchwork/\r\nPage 1 of 6\n\nSame as with the fake Tweety chat application we described in detail in our previous research, a Windows\r\napplication with real chat features based on the open-source chat application RocketChat was offered. Similarly,\r\nthis application also comes bundled with malicious .NET code.\r\nWhile small and relatively simple, we found this malicious application interesting to analyze as it revealed the\r\ncountries targeted by the threat actor. The application is a simple downloader that sends some basic information\r\n(username, antivirus, IP address, and operating system version) encrypted using triple Data Encryption Standard\r\n(DES).\r\nFigure 4. Sample of the app’s code\r\nPeriodically, the malware tries to contact the Command-and-Control (C\u0026C) server with the username encoded\r\ninto parameters. Based on the information they retrieve, the operators can then decide to instruct the malware to\r\ndownload the second stage payload. This function is similar to the various versions of backdoors (such as sctrls\r\nand sip_telephone) that we analyzed in our previous blog post and whitepaper.\r\nAn interesting feature of the downloader: It uses an online service to retrieve the victim's IP address and country,\r\nwhich it compares with a list of allowed countries. If the victim seemingly comes from a different country, the\r\nprogram will self-delete and quit. This list contains:\r\nMost of the South and Southeast Asian countries (including Mongolia)\r\nMost of the Middle Eastern countries\r\nMost of the African countries\r\nOnly Ukraine in Europe\r\nOnly Trinidad and Tobago in the Americas\r\nNo country from Oceania\r\nFigure 5. Excerpt of the valid country list\r\nFigure 5. Excerpt of the valid country list\r\nWe noted that it does both client-side and server-side IP filtering, showing that the attacker has improved its\r\ninfrastructure. At the end of last year, a C\u0026C from the same threat actor was not only accessible from any IP\r\naddress, but it was possible to browse the server directory tree without authentication.\r\nAfter impersonating a fake victim of interest, we obtained a second stage payload (Detected as\r\nTROJ_DELF.XXWZ), which is a filestealer based on the Delphi programming language similar to the “svctrls”\r\nmalware described in our previous blogpost. This one is called “sysctrls” and it looks for files with the following\r\nextensions:\r\nExtension File Type\r\n.doc, docx Microsoft Word document\r\n.xls,.xlsx Microsoft Excel document\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/confucius-update-new-tools-and-techniques-further-connections-with-patchwork/\r\nPage 2 of 6\n\n.ppt, .pptx Microsoft Powerpoint presentation\r\n.pptx Microsoft Powerpoint presentation\r\n.png, .jpg, .jpeg Image file\r\n.pst, .ost Microsoft Outlook file\r\n.csv Spreadsheet file\r\nIt then sends them via a POST HTTP request to windefendr[.]com/description.php.\r\nFurther analysis of this filestealer revealed interesting links with other threat actor groups.\r\nThe Delphi Link\r\nWe already mentioned that Confucius had possible links to other groups in our previous blog post, which\r\nmentioned code sharing between Patchwork and Confucius. Both groups used a backdoor with the same\r\nconfiguration file structure and commands.\r\nWe found more code shared among the two threat actor’s malware, as Patchwork recently used multiple Delphi\r\nmalware similar to some of the Delphi malware we described before.\r\nWe initially spotted some visual similarities between the malware used. Although no forms are displayed while the\r\nmalware is running, we can see its TForm object in the Delphi decompiler. The TForm object often has two\r\nTTimer objects — but sometimes we have seen one or even three of these objects — usually with random names.\r\nOccasionally, listboxes with encrypted strings are also added.\r\nFigure 5. Excerpt of the valid country list\r\nFigure 6: Decompiled Form structure of Confucius’ sample\r\n(d971842441c83c1bba05742d124620f5741bb5d5da9ffb31f06efa4bbdcf04ee, Detected as TSPY_CONFSTEAL.A)\r\nFigure 5. Excerpt of the valid country list\r\nFigure 7: Decompiled Form structure of Patchwork’s sample\r\n(795ae4097aa3bd5932be4110f6bd992f46d605d4c9e3afced314454d35395a59, Detected as TROJ_DELF.XXWZ)\r\nWhile looking into any of the TTimers’ OnTimer methods, we often found a certain kind of structure: A pointer to\r\nan encrypted string stored in an EDX register followed by the call to the decryption function.\r\nFigure 5. Excerpt of the valid country list\r\nFigure 8: Calling the decryption function\r\nThis encouraged us to analyze the string encryption routines thoroughly.\r\nOur analysis revealed three of them. The first involves a very simple routine that flips every bit of the string. The\r\nsecond algorithm involves a hardcoded key, which is transformed by taking the five lower bits of each character,\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/confucius-update-new-tools-and-techniques-further-connections-with-patchwork/\r\nPage 3 of 6\n\nand then used as a XOR key. In some cases, the key is split in half in the binary, so it is first reunited before being\r\nused. Finally, our third algorithm uses a 94-character substitution table. This algorithm was previously discussed\r\nby security researchers in a Confucius-related blog post.\r\nFor each of these routines, we found a recent sample going back to a domain name belonging to Patchwork’s\r\ninfrastructure.\r\nThe substitution tables of the third algorithm were randomly generated at build time, while the attacker seemingly\r\nset the keys used in the second algorithm. We found six different keys in the latter category that were different for\r\nthe Patchwork and Confucius group.\r\nFigure 9. On the left, Confucius code, on the right, Patchwork’s code\r\nInterestingly, one of those keys, “xldbszcd”, was found in a file stealer used by Confucius\r\n(472ea4929c5e0fb4e29597311ed90a14c57bc67fbf26f81a3aac042aa3dccb55, Detected as\r\nTSPY_CONFSTEAL.A) as well as in two other file stealers.\r\nOne file stealer (cca74bb322ad7833a21209b1418c9837e30983daec30d199a839f46075ee72f2, Detected as\r\nTSPY_DELF.SUW) published by security researchers in 2013 and linked to the domain myflatnet[.]com, was\r\nattributed by several parties to the Hangover group.\r\nThe other file stealer (1f0dabd61947b6df8a392b77a0eae33777be3caad13698aecc223b54ab4b859a, Detected as\r\nTROJ_DELF.XXWZ) is related to a domain reported in September 2016. That report also mentioned InPage\r\nsoftware targeting and Delphi backdoors.\r\nFigure 10. Left: Confucius group, Middle: Hangover group, Right: Unnamed group\r\nAfter some research, we found multiple Delphi backdoors that used any of the three decryption routines. The\r\nbackdoors also linked to an infrastructure matching old Hangover domains as well as the infrastructure of domains\r\nfrom the September 2016 blog post. Some of these samples were several years old and had left the original name\r\nof the bit-flip decryption algorithm, which was “EnDecrypt”. This algorithm matches the following code snippet.\r\nPatchwork's Ongoing Campaigns\r\nAside from their Delphi malware, Patchwork is still active. Lately, they have been sending multiple RTF files\r\nexploiting CVE-2017-8570. The dropped payloads are modified versions of the Remote Administration Tool\r\nQuasarRAT that can be traced to the domains sastind-cn[.]org and tautiaos[.]com.\r\nFigure 11. Process tree after a successful infection\r\nFigure 11. Process tree after a successful infection\r\nThe attackers sometimes design the weaponized documents to look like legitimate documents of interest to the\r\ntarget. The documents are also unusually large — often more than 10 megabytes.\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/confucius-update-new-tools-and-techniques-further-connections-with-patchwork/\r\nPage 4 of 6\n\nFigure 12. On the left, the weaponized document (Detection name). On the right, the legitimate document from\r\nCSBA\r\nFigure 12. On the left, the weaponized document. On the right, the legitimate document from CSBA. Note that the\r\nweaponized document was crafted to look like it came from CSBA but does not imply that CSBA or its related\r\nassets have been compromised \r\nThe group still uses the Badnews malware, a backdoor with information-stealing and file-executing capabilities,\r\nalbeit updated with a slight modification in the encryption routine at the end of 2017, when they added Blowfish\r\nencryption on top of their custom encryption described in our former Patchwork blogpost.\r\nDefending against Confucius and Patchwork\r\nThreat actors like Confucius and Patchwork are known for their large arsenal of tools and ever-evolving\r\ntechniques that can render traditional security solutions — which are often not designed to handle the persistent\r\nand sophisticated threats detailed in this blog — ineffective. To help combat these kinds of threats organizations\r\nwill need to take a more proactive and focused security posture that can cover the most ground in terms of\r\nsecurity. Some specific security measures organizations can implement:\r\nRecognize social engineering attempts. Malicious mobile apps are common infection vectors for\r\ncybercriminals, as they can attract specific target audiences. In this case, Confucius went with the common\r\nadage “sex sells”\r\nProactively monitor the organization’s network. Threat actors are notorious for creating stealthy malware\r\nthat can bypass superficial network monitoring. A more proactive stance that includes proper application of\r\nfirewalls and intrusion detection and prevention systems can help mitigate the impact of an attack\r\nImplement network segmentation. Even with the best security technology, there is still a chance of an\r\nattack slipping through. Separating the network into individual parts, as well as restricting access to only\r\nthose who really need it, can mitigate the damage that occurs in case of a successful attack.\r\nUpdate systems regularly. Everything from endpoints to network software to IoT devices should be patched\r\nand updated to prevent or minimize the chance of a threat actor exploiting a vulnerability\r\nIn an ideal scenario, an organization’s in-house security team implement all of these and other security measures.\r\nThe reality is that IT departments of small to large-sized organizations are not equipped to handle the more\r\nadvanced threats that groups like Confucius use in their attacks. Since these teams also handle the day-to-day IT\r\nrequirements of the organization, taking on a more involved and proactive stance may not be easy. In this case, an\r\norganization can look into third party security providers who can handle specialized work, such as root cause\r\nanalysis and detailed research, and also provide a remediation plan that gives organizations a better chance against\r\nadvanced threats.\r\nTrend Micro Solutions\r\nPatchwork uses email as an entry point, which is why securing the email gateway is important. Trend Micro™\r\nEmail Security is a no-maintenance cloud solution that delivers continuously updated protection to stop spam,\r\nmalware, spear phishing, ransomware, and advanced targeted attacks before they reach the network.  Trend\r\nMicro™ Email Inspector and InterScan™ Web Security prevent malware from ever reaching end users. At the\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/confucius-update-new-tools-and-techniques-further-connections-with-patchwork/\r\nPage 5 of 6\n\nendpoint level, Trend Micro™ Smart Protection Suites deliver several capabilities that minimize the impact of\r\nPatchwork’s attacks.\r\nThese solutions are powered by Trend Micro XGen™ security, which provides a cross-generational blend of threat\r\ndefense techniques against a full range of threats for data centers, cloud environments, networks, and endpoints. It\r\nfeatures high-fidelity machine learning to secure the gateway and endpoint data and applications, and protect\r\nphysical, virtual, and cloud workloads. This appendix contains the latest indicators of compromise (IOCs) related\r\nto the different groups. \r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/confucius-update-new-tools-and-techniques-further-connections-with-patc\r\nhwork/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/confucius-update-new-tools-and-techniques-further-connections-with-patchwork/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://blog.trendmicro.com/trendlabs-security-intelligence/confucius-update-new-tools-and-techniques-further-connections-with-patchwork/" ], "report_names": [ "confucius-update-new-tools-and-techniques-further-connections-with-patchwork" ], "threat_actors": [ { "id": "c1f1d9ce-ad31-49db-9f82-cc0dd12374da", "created_at": "2023-01-06T13:46:39.006986Z", "updated_at": "2026-04-10T02:00:03.17886Z", "deleted_at": null, "main_name": "[Unnamed group]", "aliases": [], "source_name": "MISPGALAXY:[Unnamed group]", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4", "created_at": "2025-08-07T02:03:25.123407Z", "updated_at": "2026-04-10T02:00:03.668131Z", "deleted_at": null, "main_name": "ZINC EMERSON", "aliases": [ "Confucius ", "Dropping Elephant ", "EHDevel ", "Manul ", "Monsoon ", "Operation Hangover ", "Patchwork ", "TG-4410 ", "Viceroy Tiger " ], "source_name": "Secureworks:ZINC EMERSON", "tools": [ "Enlighten Infostealer", "Hanove", "Mac OS X KitM Spyware", "Proyecto2", "YTY Backdoor" ], "source_id": "Secureworks", "reports": null }, { "id": "7a8dbc5e-51a8-437a-8540-7dcb1cc110b8", "created_at": "2022-10-25T16:07:23.482856Z", "updated_at": "2026-04-10T02:00:04.627414Z", "deleted_at": null, "main_name": "Confucius", "aliases": [ "G0142" ], "source_name": "ETDA:Confucius", "tools": [ "ApacheStealer", "ByeByeShell", "ChatSpy", "Confucius", "MY24", "Sneepy", "remote-access-c3", "sctrls", "sip_telephone", "swissknife2" ], "source_id": "ETDA", "reports": null }, { "id": "7ea1e0de-53b9-4059-802f-485884180701", "created_at": "2022-10-25T16:07:24.04846Z", "updated_at": "2026-04-10T02:00:04.84985Z", "deleted_at": null, "main_name": "Patchwork", "aliases": [ "APT-C-09", "ATK 11", "Capricorn Organisation", "Chinastrats", "Dropping Elephant", "G0040", "Maha Grass", "Quilted Tiger", "TG-4410", "Thirsty Gemini", "Zinc Emerson" ], "source_name": "ETDA:Patchwork", "tools": [ "AndroRAT", "Artra Downloader", "ArtraDownloader", "AutoIt backdoor", "BADNEWS", "BIRDDOG", "Bahamut", "Bozok", "Bozok RAT", "Brute Ratel", "Brute Ratel C4", "CinaRAT", "Crypta", "ForeIT", "JakyllHyde", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "NDiskMonitor", "Nadrac", "PGoShell", "PowerSploit", "PubFantacy", "Quasar RAT", "QuasarRAT", "Ragnatela", "Ragnatela RAT", "SocksBot", "TINYTYPHON", "Unknown Logger", "WSCSPL", "Yggdrasil" ], "source_id": "ETDA", "reports": null }, { "id": "c81067e0-9dcb-4e3f-abb0-80126519c5b6", "created_at": "2022-10-25T15:50:23.285448Z", "updated_at": "2026-04-10T02:00:05.282202Z", "deleted_at": null, "main_name": "Patchwork", "aliases": [ "Hangover Group", "Dropping Elephant", "Chinastrats", "Operation Hangover" ], "source_name": "MITRE:Patchwork", "tools": [ "NDiskMonitor", "QuasarRAT", "BackConfig", "TINYTYPHON", "AutoIt backdoor", "PowerSploit", "BADNEWS", "Unknown Logger" ], "source_id": "MITRE", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "caf95a6f-2705-4293-9ee1-6b7ed9d9eb4c", "created_at": "2022-10-25T15:50:23.472432Z", "updated_at": "2026-04-10T02:00:05.352882Z", "deleted_at": null, "main_name": "Confucius", "aliases": [ "Confucius", "Confucius APT" ], "source_name": "MITRE:Confucius", "tools": [ "WarzoneRAT" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434206, "ts_updated_at": 1775792018, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/1a22f559ea8a2a75e220181cd8baa59c9df4d94a.pdf", "text": "https://archive.orkl.eu/1a22f559ea8a2a75e220181cd8baa59c9df4d94a.txt", "img": "https://archive.orkl.eu/1a22f559ea8a2a75e220181cd8baa59c9df4d94a.jpg" } }