{ "id": "4ddff18a-ef36-46a3-a362-861d0f9ff361", "created_at": "2026-04-06T00:16:14.27768Z", "updated_at": "2026-04-10T03:38:09.850423Z", "deleted_at": null, "sha1_hash": "7509866c4e72444927688965b6a1065965727901", "title": "Confucius APT Deploys Warzone RAT", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1200669, "plain_text": "Confucius APT Deploys Warzone RAT\r\nBy Uptycs Threat Research\r\nPublished: 2021-01-12 · Archived: 2026-04-05 14:14:36 UTC\r\nResearch by Abhijit Mohanta and Ashwin Vamshi\r\nUptycs' threat research team published a piece about Warzone RAT and its advanced capabilities in November\r\n2020. During the first week of January 2021, we discovered an ongoing targeted attack campaign related to\r\nConfucius APT, a threat actor / group primarily targeting government sectors in South Asia. This attack was\r\nidentified by our in-house osquery-based sandbox that triggered a detection on Warzone RAT activity.\r\nBased on our threat intelligence systems, we were able to confirm that the threat actor is trying to circumvent\r\nattacks with decoys that deliver the next stage payload via the template injection technique and a short C2 TTL\r\n(Time to Live).\r\nTechnical Analysis\r\nOur in-house sandbox, which uses Uptycs EDR for detection, detected a Warzone RAT payload in the attack kill\r\nchain of the decoy document “China Cruise Missiles Capabilities-Implications for the Indian Army.docx” (hash:\r\nb9b5a9fa0ad7f802899e82e103a6c2c699c09390b1a79ae2b357cacc68f1ca8e).\r\nThis attack document was crafted by the attacker group to entice the victims or targets into opening a file related\r\nto the ongoing India China border tension.\r\nhttps://www.uptycs.com/blog/confucius-apt-deploys-warzone-rat\r\nPage 1 of 8\n\nFigure 1: Screenshot from the \"China Cruise Missiles Capabilities-Implications for the Indian Army.docx\" decoy.\r\nWe believe the decoy lure must have been copied from this PDF, which contains a study by Kartik Bommakanti\r\nfor the Observer Research Foundation (ORF).\r\nAttack Kill Chain\r\nThe decoy lure was a 16-page document that would have skipped the eye of static heuristic engines because they\r\ngenerally scan suspicious files based on the number of pages (malicious documents are usually one page).\r\nUpon execution, the document used template injection to download the next stage RTF exploit that downloaded\r\nthe final stage Warzone payload using a DLL embedded in the RTF exploit. The attack kill chain of the different\r\nphases of the attack is detailed in figure 2, below.\r\nhttps://www.uptycs.com/blog/confucius-apt-deploys-warzone-rat\r\nPage 2 of 8\n\nFigure 2: Attack kill chain of the different phases of the attack.\r\nThe various phases of the attack are as follows:\r\nVictim opens the Word document\r\nDocument downloads template RTF\r\nExploit in RTF is triggered and bing.dll is dropped and executed\r\nBing.dll downloads Warzone RAT\r\nUsing the template injection technique, the next stage payload is downloaded via the word/_rels/settings.xml.rels\r\nfile present in the document structure as shown in figure 3, below.\r\nFigure 3: setting.xmls.rels containing link to template.\r\nThe downloaded template (hash: 2f5fc653550b0b5d093427263b26892e3468e125686eb41206319c7060212c40) is\r\nan RTF file containing exploit code for the old vulnerability “CVE-2018-0802” in the Microsoft equation editor\r\n(EQNEDT32.exe). This is evident from the CLSID present in the RTF file “7b0002CE02-0000-0000-C000-\r\n000000000046,” which is related to the equation editor. The RTF contains a DLL embedded in an OLE object as\r\nshown in figure 4, below.\r\nhttps://www.uptycs.com/blog/confucius-apt-deploys-warzone-rat\r\nPage 3 of 8\n\nFigure 4: DLL embedded in OLE.\r\nThe embedded DLL file, bing.dll (SHA-256:\r\n07277c9f33d0ae873c2be3742669594acc18c7aa93ecadb8b2ce9b870baceb2f), which is executed upon successful\r\nexploitation, contains an export “mark” that is responsible for downloading the Warzone payload. Figure 5, below,\r\nshows the code that downloads the Warzone payload.\r\nFigure 5: Downloader code in DLL.\r\nThe Warzone payload is saved to the %ProgramData% folder as update.exe (SHA-256:\r\n4500851dad1ac87165fc938fe5034983c10423f800bbc2661741f39e43ab8c8d) as shown in the above figure. In\r\norder to maintain persistence, an LNK file named update.lnk pointing to update.exe is dropped to startup folders -\r\n“%AppData%Microsoft\\Windows\\Start Menu\\Programs\\Startup”.\r\nhttps://www.uptycs.com/blog/confucius-apt-deploys-warzone-rat\r\nPage 4 of 8\n\nWarzone RAT was caught by Uptycs in November. It has capabilities to log keystrokes, steal passwords, capture\r\nthe webcam, and it has the ability to bypass UAC on Windows 10. You can read more details about Warzone RAT\r\nin our blog post.\r\nSimilar Themed Attacks Delivering Warzone RAT\r\nWe identified three similar DLL files in our threat intelligence systems with the same imphash:\r\n58f8f4bdb6d7059247f4fe90a8ba9477. Using this data, we identified three more decoy documents most likely\r\nused for different targets using these DLL files as the next stage payloads.\r\nThe first decoy document was observed in October 2020.\r\nFile name: Testing.docx\r\nHash: a3cd781b14d75de94e5263ce37a572cdf5fe5013ec85ff8daeee3783ff95b073\r\nRTF hash: 686847b331ace1b93b48528ba50507cbf0f9b59aef5b5f539a7d6f2246135424\r\nDLL hash: 1c41a03c65108e0d965b250dc9b3388a267909df9f36c3fefffbd26d512a2126\r\nPDB path: C:\\Users\\admin\\Documents\\dll\\linknew\\Release\\linknew.pdb\r\nC2: recent[.]wordupdate[.]com\r\nThe decoy’s subject focused on China preparing for war in the Taiwan Strait—a topic sure to attract attention.\r\nFigure 6: China preparing for war in the Taiwan Strait decoy.\r\nThe second decoy was observed in November 2020. Interestingly, this decoy had the same hash of the next stage\r\nRTF and the DLL payloads used in the first decoy document.\r\nFile name: Suparco Vacancy Notification.docx\r\nhttps://www.uptycs.com/blog/confucius-apt-deploys-warzone-rat\r\nPage 5 of 8\n\nHash: 59ccfff73bdb8567e7673a57b73f86fc082b0e4eeaa3faf7e92875c35bf4f62c\r\nRTF hash: 686847b331ace1b93b48528ba50507cbf0f9b59aef5b5f539a7d6f2246135424\r\nDLL hash: 1c41a03c65108e0d965b250dc9b3388a267909df9f36c3fefffbd26d512a2126\r\nPDB path: C:\\Users\\admin\\Documents\\dll\\linknew\\Release\\linknew.pdb\r\nC2: recent[.]wordupdate.com\r\nThis decoy posed as a job application form for the Pakistan Space \u0026 Upper Atmosphere Research Commission\r\n(SUPARCO).\r\nFigure 7: SUPARCO vacancy notification decoy.\r\nAlso in November 2020, we identified another highly targeted decoy:\r\nHash: 59cd62ad204e536b178db3e2ea10b36c782be4aa4849c10eef8484433a524297\r\nRTF hash: 3ce48f371129a086935b031333387ea73282bda5f22ff78c85ee7f0f5e4625fe\r\nDLL hash: ea52d6358d53fc79e1ab61f64cb77bb47f773f0aa29223b115811e2f339e85f5\r\nhttps://www.uptycs.com/blog/confucius-apt-deploys-warzone-rat\r\nPage 6 of 8\n\nPDB path: C:\\Users\\admin\\Documents\\dll\\linknew\\Release\\linknew.pdb\r\nC2: recent.wordupdate.com\r\nThis decoy focused on another attention-grabbing topic—what to expect from Joe Biden, the new president of the\r\nUnited States, related to top nuclear weapons issues. The DLL file connected to the same C2 and contained the\r\nsame PDB path in the above two documents.\r\nFigure 8: Top nuclear weapons issues decoy.\r\nBased on the decoys and the topics, we believe the campaign is ongoing with selected targets. As the C2 TTL is\r\nshort lived, we believe the threat actor is tailoring the attacks to selected targets and taking down their attack\r\nelements.\r\nTargeted attacks will always try to leverage the latest news with high media attention to tailor attacks. The\r\nWarzone RAT was deployed as the final stage payload to monitor and carry surveillance on the victim's machine.\r\nWhile traditional solutions have a detection stance against such threats, it is always recommended to have a\r\nlayered security approach that has advanced analytics and granular visibility of targeted attacks and the next stage\r\npayloads used in their attack kill chains.\r\nIOCs\r\nHashes\r\nb9b5a9fa0ad7f802899e82e103a6c2c699c09390b1a79ae2b357cacc68f1ca8e\r\n2f5fc653550b0b5d093427263b26892e3468e125686eb41206319c7060212c40\r\nhttps://www.uptycs.com/blog/confucius-apt-deploys-warzone-rat\r\nPage 7 of 8\n\n07277c9f33d0ae873c2be3742669594acc18c7aa93ecadb8b2ce9b870baceb2f\r\n4500851dad1ac87165fc938fe5034983c10423f800bbc2661741f39e43ab8c8d\r\na3cd781b14d75de94e5263ce37a572cdf5fe5013ec85ff8daeee3783ff95b073\r\n686847b331ace1b93b48528ba50507cbf0f9b59aef5b5f539a7d6f2246135424\r\n1c41a03c65108e0d965b250dc9b3388a267909df9f36c3fefffbd26d512a2126\r\n59ccfff73bdb8567e7673a57b73f86fc082b0e4eeaa3faf7e92875c35bf4f62c\r\n59cd62ad204e536b178db3e2ea10b36c782be4aa4849c10eef8484433a524297\r\n3ce48f371129a086935b031333387ea73282bda5f22ff78c85ee7f0f5e4625fe\r\nea52d6358d53fc79e1ab61f64cb77bb47f773f0aa29223b115811e2f339e85f5\r\nURLs\r\nmsoffice[.]user-assist[.]site\r\nrecent[.]wordupdate[.]com\r\nYARA rule\r\nrule upt_Confucius_apt_dll {\r\nmeta:\r\ndescription=\"DLL used by Confucius\"\r\nauthor = \"abhijit mohanta\"\r\ndate = \"January 2021\"\r\nstrings:\r\n$upt_APT_10 = { 61 00 00 ?? 61 00 00 ?? 67 00 00 ?? 66 00 00}\r\n$upt_APT_11= { 62 00 00 ED 61 00 00 99 66 00 00 77 66 00 00}\r\n$upt_APT_21 = \".gfids\" ascii wide\r\ncondition:\r\n(any of ($upt_APT_1*)) and $upt_APT_21\r\n}\r\nSource: https://www.uptycs.com/blog/confucius-apt-deploys-warzone-rat\r\nhttps://www.uptycs.com/blog/confucius-apt-deploys-warzone-rat\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE" ], "references": [ "https://www.uptycs.com/blog/confucius-apt-deploys-warzone-rat" ], "report_names": [ "confucius-apt-deploys-warzone-rat" ], "threat_actors": [ { "id": "b740943a-da51-4133-855b-df29822531ea", "created_at": "2022-10-25T15:50:23.604126Z", "updated_at": "2026-04-10T02:00:05.259593Z", "deleted_at": null, "main_name": "Equation", "aliases": [ "Equation" ], "source_name": "MITRE:Equation", "tools": null, "source_id": "MITRE", "reports": null }, { "id": "808d8d52-ca06-4a5f-a2c1-e7b1ce986680", "created_at": "2022-10-25T16:07:23.899157Z", "updated_at": "2026-04-10T02:00:04.782542Z", "deleted_at": null, "main_name": "NetTraveler", "aliases": [ "APT 21", "Hammer Panda", "NetTraveler", "TEMP.Zhenbao" ], "source_name": "ETDA:NetTraveler", "tools": [ "Agent.dhwf", "Destroy RAT", "DestroyRAT", "Kaba", "Korplug", "NetTraveler", "Netfile", "PlugX", "RedDelta", "Sogu", "TIGERPLUG", "TVT", "Thoper", "TravNet", "Xamtrav" ], "source_id": "ETDA", "reports": null }, { "id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4", "created_at": "2025-08-07T02:03:25.123407Z", "updated_at": "2026-04-10T02:00:03.668131Z", "deleted_at": null, "main_name": "ZINC EMERSON", "aliases": [ "Confucius ", "Dropping Elephant ", "EHDevel ", "Manul ", "Monsoon ", "Operation Hangover ", "Patchwork ", "TG-4410 ", "Viceroy Tiger " ], "source_name": "Secureworks:ZINC EMERSON", "tools": [ "Enlighten Infostealer", "Hanove", "Mac OS X KitM Spyware", "Proyecto2", "YTY Backdoor" ], "source_id": "Secureworks", "reports": null }, { "id": "7a8dbc5e-51a8-437a-8540-7dcb1cc110b8", "created_at": "2022-10-25T16:07:23.482856Z", "updated_at": "2026-04-10T02:00:04.627414Z", "deleted_at": null, "main_name": "Confucius", "aliases": [ "G0142" ], "source_name": "ETDA:Confucius", "tools": [ "ApacheStealer", "ByeByeShell", "ChatSpy", "Confucius", "MY24", "Sneepy", "remote-access-c3", "sctrls", "sip_telephone", "swissknife2" ], "source_id": "ETDA", "reports": null }, { "id": "04b07437-41bb-4126-bcbb-def16f19d7c6", "created_at": "2022-10-25T16:07:24.232628Z", "updated_at": "2026-04-10T02:00:04.906097Z", "deleted_at": null, "main_name": "Stone Panda", "aliases": [ "APT 10", "ATK 41", "Bronze Riverside", "CTG-5938", "CVNX", "Cuckoo Spear", "Earth Kasha", "G0045", "G0093", "Granite Taurus", "Happyyongzi", "Hogfish", "ITG01", "Operation A41APT", "Operation Cache Panda", "Operation ChessMaster", "Operation Cloud Hopper", "Operation Cuckoo Spear", "Operation New Battle", "Operation Soft Cell", "Operation TradeSecret", "Potassium", "Purple Typhoon", "Red Apollo", "Stone Panda", "TA429", "menuPass", "menuPass Team" ], "source_name": "ETDA:Stone Panda", "tools": [ "Agent.dhwf", "Agentemis", "Anel", "AngryRebel", "BKDR_EVILOGE", "BKDR_HGDER", "BKDR_NVICM", "BUGJUICE", "CHINACHOPPER", "ChChes", "China Chopper", "Chymine", "CinaRAT", "Cobalt Strike", "CobaltStrike", "DARKTOWN", "DESLoader", "DILLJUICE", "DILLWEED", "Darkmoon", "DelfsCake", "Derusbi", "Destroy RAT", "DestroyRAT", "Ecipekac", "Emdivi", "EvilGrab", "EvilGrab RAT", "FYAnti", "Farfli", "Gen:Trojan.Heur.PT", "Gh0st RAT", "Ghost RAT", "GreetCake", "HAYMAKER", "HEAVYHAND", "HEAVYPOT", "HTran", "HUC Packet Transmit Tool", "Ham Backdoor", "HiddenFace", "Impacket", "Invoke the Hash", "KABOB", "Kaba", "Korplug", "LODEINFO", "LOLBAS", "LOLBins", "Living off the Land", "MiS-Type", "Mimikatz", "Moudour", "Mydoor", "NBTscan", "NOOPDOOR", "Newsripper", "P8RAT", "PCRat", "PlugX", "Poison Ivy", "Poldat", "PowerSploit", "PowerView", "PsExec", "PsList", "Quarks PwDump", "Quasar RAT", "QuasarRAT", "RedDelta", "RedLeaves", "Rubeus", "SNUGRIDE", "SPIVY", "SharpSploit", "SigLoader", "SinoChopper", "SodaMaster", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Trochilus RAT", "UpperCut", "Vidgrab", "WinRAR", "WmiExec", "Wmonder", "Xamtrav", "Yggdrasil", "Zlib", "certutil", "certutil.exe", "cobeacon", "dfls", "lena", "nbtscan", "pivy", "poisonivy", "pwdump" ], "source_id": "ETDA", "reports": null }, { "id": "caf95a6f-2705-4293-9ee1-6b7ed9d9eb4c", "created_at": "2022-10-25T15:50:23.472432Z", "updated_at": "2026-04-10T02:00:05.352882Z", "deleted_at": null, "main_name": "Confucius", "aliases": [ "Confucius", "Confucius APT" ], "source_name": "MITRE:Confucius", "tools": [ "WarzoneRAT" ], "source_id": "MITRE", "reports": null }, { "id": "3aaf0755-5c9b-4612-9f0e-e266ef1bdb4b", "created_at": "2022-10-25T16:07:23.480196Z", "updated_at": "2026-04-10T02:00:04.626125Z", "deleted_at": null, "main_name": "Comment Crew", "aliases": [ "APT 1", "BrownFox", "Byzantine Candor", "Byzantine Hades", "Comment Crew", "Comment Panda", "G0006", "GIF89a", "Group 3", "Operation Oceansalt", "Operation Seasalt", "Operation Siesta", "Shanghai Group", "TG-8223" ], "source_name": "ETDA:Comment Crew", "tools": [ "Auriga", "Cachedump", "Chymine", "CookieBag", "Darkmoon", "GDOCUPLOAD", "GLOOXMAIL", "GREENCAT", "Gen:Trojan.Heur.PT", "GetMail", "Hackfase", "Hacksfase", "Helauto", "Kurton", "LETSGO", "LIGHTBOLT", "LIGHTDART", "LOLBAS", "LOLBins", "LONGRUN", "Living off the Land", "Lslsass", "MAPIget", "ManItsMe", "Mimikatz", "MiniASP", "Oceansalt", "Pass-The-Hash Toolkit", "Poison Ivy", "ProcDump", "Riodrv", "SPIVY", "Seasalt", "ShadyRAT", "StarsyPound", "TROJAN.COOKIES", "TROJAN.FOXY", "TabMsgSQL", "Tarsip", "Trojan.GTALK", "WebC2", "WebC2-AdSpace", "WebC2-Ausov", "WebC2-Bolid", "WebC2-Cson", "WebC2-DIV", "WebC2-GreenCat", "WebC2-Head", "WebC2-Kt3", "WebC2-Qbp", "WebC2-Rave", "WebC2-Table", "WebC2-UGX", "WebC2-Yahoo", "Wordpress Bruteforcer", "bangat", "gsecdump", "pivy", "poisonivy", "pwdump", "zxdosml" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434574, "ts_updated_at": 1775792289, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7509866c4e72444927688965b6a1065965727901.pdf", "text": "https://archive.orkl.eu/7509866c4e72444927688965b6a1065965727901.txt", "img": "https://archive.orkl.eu/7509866c4e72444927688965b6a1065965727901.jpg" } }