{ "id": "f11ac765-2c2d-47c2-b499-b45184e65d97", "created_at": "2026-04-06T00:20:53.707275Z", "updated_at": "2026-04-10T13:11:19.48725Z", "deleted_at": null, "sha1_hash": "580278f393b2f4fe1959207921ec40195e76bc66", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 50636, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 19:14:47 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool Hornbill\r\n Tool: Hornbill\r\nNames Hornbill\r\nCategory Malware\r\nType Reconnaissance, Backdoor, Info stealer, Exfiltration\r\nDescription\r\n(Lookout) Hornbill and SunBird have both similarities and differences in the way they\r\noperate on an infected device. While SunBird features remote access trojan (RAT)\r\nfunctionality – a malware that can execute commands on an infected device as directed\r\nby an attacker – Hornbill is a discreet surveillance tool used to extract a selected set of\r\ndata of interest to its operator.\r\nInformation\r\n\u003chttps://blog.lookout.com/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict\u003e\r\nMITRE ATT\u0026CK \u003chttps://attack.mitre.org/software/S1077\u003e\r\nLast change to this tool card: 30 November 2023\r\nDownload this tool card in JSON format\r\nAll groups using tool Hornbill\r\nChanged Name Country Observed\r\nAPT groups\r\n  Confucius 2013-Aug 2021  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=34997eba-3a98-445d-a69d-dc939d136794\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=34997eba-3a98-445d-a69d-dc939d136794\r\nPage 1 of 1", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=34997eba-3a98-445d-a69d-dc939d136794" ], "report_names": [ "listgroups.cgi?u=34997eba-3a98-445d-a69d-dc939d136794" ], "threat_actors": [ { "id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4", "created_at": "2025-08-07T02:03:25.123407Z", "updated_at": "2026-04-10T02:00:03.668131Z", "deleted_at": null, "main_name": "ZINC EMERSON", "aliases": [ "Confucius ", "Dropping Elephant ", "EHDevel ", "Manul ", "Monsoon ", "Operation Hangover ", "Patchwork ", "TG-4410 ", "Viceroy Tiger " ], "source_name": "Secureworks:ZINC EMERSON", "tools": [ "Enlighten Infostealer", "Hanove", "Mac OS X KitM Spyware", "Proyecto2", "YTY Backdoor" ], "source_id": "Secureworks", "reports": null }, { "id": "7a8dbc5e-51a8-437a-8540-7dcb1cc110b8", "created_at": "2022-10-25T16:07:23.482856Z", "updated_at": "2026-04-10T02:00:04.627414Z", "deleted_at": null, "main_name": "Confucius", "aliases": [ "G0142" ], "source_name": "ETDA:Confucius", "tools": [ "ApacheStealer", "ByeByeShell", "ChatSpy", "Confucius", "MY24", "Sneepy", "remote-access-c3", "sctrls", "sip_telephone", "swissknife2" ], "source_id": "ETDA", "reports": null }, { "id": "caf95a6f-2705-4293-9ee1-6b7ed9d9eb4c", "created_at": "2022-10-25T15:50:23.472432Z", "updated_at": "2026-04-10T02:00:05.352882Z", "deleted_at": null, "main_name": "Confucius", "aliases": [ "Confucius", "Confucius APT" ], "source_name": "MITRE:Confucius", "tools": [ "WarzoneRAT" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434853, "ts_updated_at": 1775826679, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/580278f393b2f4fe1959207921ec40195e76bc66.pdf", "text": "https://archive.orkl.eu/580278f393b2f4fe1959207921ec40195e76bc66.txt", "img": "https://archive.orkl.eu/580278f393b2f4fe1959207921ec40195e76bc66.jpg" } }