{ "id": "36b286c9-5bdc-46a0-a75b-b40637117b13", "created_at": "2026-04-06T00:22:34.867236Z", "updated_at": "2026-04-10T03:33:38.175965Z", "deleted_at": null, "sha1_hash": "99f2020eac7ef80a3e840e280c5b307fc741494c", "title": "Confucius Uses Pegasus Spyware-related Lures to Target Pakistani Military", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 855031, "plain_text": "Confucius Uses Pegasus Spyware-related Lures to Target Pakistani\r\nMilitary\r\nBy By: Daniel Lunghi Aug 17, 2021 Read time: 5 min (1215 words)\r\nPublished: 2021-08-17 · Archived: 2026-04-05 15:47:11 UTC\r\nAPT \u0026 Targeted Attacks\r\nWhile investigating the Confucius threat actor, we found a recent spear phishing campaign that utilizes Pegasus\r\nspyware-related lures to entice victims into opening a malicious document downloading a file stealer.\r\nIntroduction\r\nWhile investigating the Confucius threat actor, we found a recent spear phishing campaign that utilizes Pegasus\r\nspyware-related lures to entice victims into opening a malicious document downloading a file stealer. The NSO\r\nGroup’s spyware spurred a collaborative investigationnews article that found that it was being used to target high-ranking individuals in 11 different countries.\r\nIn this blog entry, we take a look at the lures used by the malicious actor and provide a short analysis of the file stealer\r\nused in the campaign, which was launched in early August.\r\nThe contents of the spear phishing email\r\nThe campaign involves a two-step attack. During the first phase, an email without a malicious payload containing\r\ncontent copied from a legitimate Pakistani newspaper’s article is sent to the target. The sender address, which is\r\nspoofed, impersonates the PR wing of the Pakistani Armed Forces (info@ispr.gov.pk).\r\nTwo days later, a second email — purportedly a warning from a Pakistani military about the Pegasus spyware —\r\ncontaining a cutt.ly link to a malicious encrypted Word document and the password for decryption will be sent to the\r\ntarget. The sender address impersonates a service similar to that on the first email (alert@ispr.gov.pk). \r\nhttps://www.trendmicro.com/en_us/research/21/h/confucius-uses-pegasus-spyware-related-lures-to-target-pakistani.html\r\nPage 1 of 10\n\nFigure 1. Spear-phishing email from early August. Notice the insertion of logos from the Pakistani\r\nArmy, Air Force, Navy, and PR department.\r\nIf the target clicks on either the link or on the “unsubscribe” link, it will download a Word document from the domain\r\nparinari[.]xyz.\r\nThe emails are sent either from an ExpressVPN exit node in Pakistan, or from a mail server under the attacker’s\r\ncontrol.\r\nExamining the encrypted document containing macros\r\nAfter entering the password mentioned in the message, a document containing macros is displayed on screen.\r\nhttps://www.trendmicro.com/en_us/research/21/h/confucius-uses-pegasus-spyware-related-lures-to-target-pakistani.html\r\nPage 2 of 10\n\nFigure 2. Malicious document containing macros\r\nIf the victim enables macros, the malicious code will be loaded. If the victim enters any phone number and clicks\r\n“SUBMIT,” the text field will be replaced by the message “Phone Number Not Found.”\r\nBehind the scenes, a .NET DLL file named skfk.txt, which is filled with content found inside the “Comments”\r\nproperty of the document, is created in the temporary directory. The file is then loaded in memory via PowerShell.\r\nStage 1 is a simple download \u0026 execute program. It downloads an ASCII file from the same domain and converts it\r\ninto binary before loading it on to the memory and jump to a dynamic function.\r\nStage 2 is also .NET DLL file that downloads a third file from parinari[.]xyz, converts it from ASCII to binary, and\r\nthen creates a scheduled task to load it.\r\nStage 3 is similar to stage 1, with the only change being the URL to retrieve the next stage.\r\nStage 4 is the final payload (analyzed in the next section). it is never written in clear text to the file disk.\r\nhttps://www.trendmicro.com/en_us/research/21/h/confucius-uses-pegasus-spyware-related-lures-to-target-pakistani.html\r\nPage 3 of 10\n\nFigure 3. File stealer loading scheme\r\nIt should be noted that most of the compilation timestamps of these DLL files have been modified by the attacker to a\r\nyear in the far future (2060, 2099 …), and the server IP addresses are often hidden behind CloudFlare.\r\nAnalysis of the file stealer\r\nThe final payload is a .NET DLL file designed to steal documents and images with the following extensions:\r\nFile extension Description\r\nTXT Text file\r\nPDF PDF file\r\nPNG Image file in PNG format\r\nJPG Image file in JPG format\r\nDOC Word document\r\nXLS Excel document\r\nhttps://www.trendmicro.com/en_us/research/21/h/confucius-uses-pegasus-spyware-related-lures-to-target-pakistani.html\r\nPage 4 of 10\n\nXLM Excel document with macros\r\nODP OpenDocument Presentation\r\nODS OpenDocument Sheet\r\nODT OpenDocument Text\r\nRTF Rich Text Format file\r\nPPT PowerPoint document\r\nXLSX Excel document\r\nXLSM Excel document with macros\r\nDOCX Word document\r\nPPTX PowerPoint document\r\nJPEG Image file in JPEG format\r\nThe “Documents,” “Downloads,” “Desktop,” and “Pictures” folders of every user are checked. The DLL file also\r\nexamines drives other than C:.\r\nhttps://www.trendmicro.com/en_us/research/21/h/confucius-uses-pegasus-spyware-related-lures-to-target-pakistani.html\r\nPage 5 of 10\n\nFigure 4. Code showing the main function of the file stealer\r\nWhen a file matching one of the listed extensions is found, its MD5 hash is calculated and compared to an exclusion\r\nlist retrieved from the command-and-control (C\u0026C) server pirnaram[.]xyz.\r\nIf the hash is not listed, the file is sent via the C\u0026C to a directory named after the concatenation of the machine name\r\nand the username. The exclusion list is different for every machine name-username string.\r\nOther campaigns\r\nDuring our monitoring of Confucius, we came across a campaign delivering the same payload, using a different lure.\r\nIn this instance, the campaign impersonated the Pakistani Defense Housing Authority. Again, this threat actor’s\r\ninterest in military personnel is obvious.\r\nhttps://www.trendmicro.com/en_us/research/21/h/confucius-uses-pegasus-spyware-related-lures-to-target-pakistani.html\r\nPage 6 of 10\n\nFigure 5. Spear-phishing email from early August\r\nThe lures used in an older campaign from April 2021 impersonated the Federal Board of Revenue. There were minor\r\ndifferences in tools, tactics, and procedures: the malicious document was directly attached to the spear phishing email\r\n— still encrypted — and the decryption password was sent in a different email. The first stage was also hidden in the\r\n“Comments” section. However, the second stage contained the final payload, which was once again a file stealer with\r\nthe exact same structure (a .NET DLL). Instead of exfiltrating the files through PHP scripts, they were done via FTP\r\nserver.\r\nIt should be noted that in some occasions, the threat actor sent spear-phishing emails from the domain name\r\nmailerservice[.]directory which we attributed to the Patchwork threat actor in previous research. We disclosed\r\nmultiple links between Patchwork and Confucius threat actors in the past, so this came as no surprise to us. \r\nThe creative use of social engineering lures and how to defend against them\r\nhttps://www.trendmicro.com/en_us/research/21/h/confucius-uses-pegasus-spyware-related-lures-to-target-pakistani.html\r\nPage 7 of 10\n\nIn our previous research, we already found Confucius, which is known for targeting Pakistan military for espionage\r\npurposes, employing multiple file stealers. While the code quality of its payloads is not of the highest standard, this\r\nthreat actor uses innovative techniques when crafting its malicious documents, such as  hiding malicious code in the\r\ncomments section, or using encrypted documents to prevent automatic analysis. Therefore, it’s highly likely that\r\nConfucius will continue to experiment and try out different kinds of social engineering lures in future campaigns.\r\nDespite the variety of lures used by the threat actor, best security practices still apply to these attacks. Users should\r\nalways be wary and avoid clicking on any link or downloading any file from unsolicited emails or suspicious sources.\r\nRed flags such as unusual sender domains or grammatical and spelling errors are also a sign that the email is\r\nmalicious in nature, or at the very least, should be approached with proper security protocols in mind.\r\nThe following security solutions can also protect users from email-based attacks:\r\nTrend Micro™ Cloud App Securityproducts – Enhances the security of Microsoft Office 365 and other cloud\r\nservices via computer vision and real-time scanning. It also protects organizations from email-based threats.\r\nTrend Micro™ Deep Discovery™ Email Inspectorproducts – Defends users through a combination of real-time scanning and advanced analysis techniques for known and unknown attacks.\r\n \r\nIndicators of Compromise\r\nSHA256 Detection name\r\ndacf7868a71440a7d7d8797caca1aa29b7780801e6f3b3bc33123f16989354b2 Trojan.W97M.CONFUCIUS.A\r\n0f6bcbdf4d192f8273887f9858819dd4690397a92fb28a60bb731c873c438e07 Trojan.W97M.CONFUCIUS.B\r\n508bcc1f3906f5641116cde26b830b43f38f9c68a32b67e03a3e7e3f920b1f4a Trojan.W97M.CONFUCIUS.B\r\n654c7021a4482da21e149ded58643b279ffbce66badf1a0a7fc3551acd607312 Trojan.W97M.CONFUCIUS.C\r\n712172b5b1895bbfcced961a83baa448e26e93e301be407e6b9dc8cb6526277f Trojan.Win32.DLOADR.TIOIBELQ\r\nServer hosting malicious documents\r\nparinari[.]xyz\r\nhttps://www.trendmicro.com/en_us/research/21/h/confucius-uses-pegasus-spyware-related-lures-to-target-pakistani.html\r\nPage 8 of 10\n\nServer used for file exfiltration\r\npirnaram[.]xyz\r\nDomain names linked to other campaigns\r\npemra[.]email\r\nispr[.]email\r\nfbr[.]news\r\ndefencepk[.]email\r\npakistanarmy[.]email\r\npmogovpk[.]email\r\nmailerservice[.]directory\r\nfile-dnld[.]com\r\nfuntifu[.]live\r\ncnic-update[.]com\r\ncnic-ferify[.]live\r\nfbr-update[.]com\r\nhttps://www.trendmicro.com/en_us/research/21/h/confucius-uses-pegasus-spyware-related-lures-to-target-pakistani.html\r\nPage 9 of 10\n\ndownload.fbr[.]tax\r\nsupport-team[.]tech\r\napi.priveetalk[.]com\r\nlatest_info@fbr.news\r\nnotice@fbr.news\r\nalert@fbr.news\r\nthenewsinernational@mailerservice.directory\r\nTags\r\nSource: https://www.trendmicro.com/en_us/research/21/h/confucius-uses-pegasus-spyware-related-lures-to-target-pakistani.html\r\nhttps://www.trendmicro.com/en_us/research/21/h/confucius-uses-pegasus-spyware-related-lures-to-target-pakistani.html\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE", "Malpedia" ], "references": [ "https://www.trendmicro.com/en_us/research/21/h/confucius-uses-pegasus-spyware-related-lures-to-target-pakistani.html" ], "report_names": [ "confucius-uses-pegasus-spyware-related-lures-to-target-pakistani.html" ], "threat_actors": [ { "id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4", "created_at": "2025-08-07T02:03:25.123407Z", "updated_at": "2026-04-10T02:00:03.668131Z", "deleted_at": null, "main_name": "ZINC EMERSON", "aliases": [ "Confucius ", "Dropping Elephant ", "EHDevel ", "Manul ", "Monsoon ", "Operation Hangover ", "Patchwork ", "TG-4410 ", "Viceroy Tiger " ], "source_name": "Secureworks:ZINC EMERSON", "tools": [ "Enlighten Infostealer", "Hanove", "Mac OS X KitM Spyware", "Proyecto2", "YTY Backdoor" ], "source_id": "Secureworks", "reports": null }, { "id": "7a8dbc5e-51a8-437a-8540-7dcb1cc110b8", "created_at": "2022-10-25T16:07:23.482856Z", "updated_at": "2026-04-10T02:00:04.627414Z", "deleted_at": null, "main_name": "Confucius", "aliases": [ "G0142" ], "source_name": "ETDA:Confucius", "tools": [ "ApacheStealer", "ByeByeShell", "ChatSpy", "Confucius", "MY24", "Sneepy", "remote-access-c3", "sctrls", "sip_telephone", "swissknife2" ], "source_id": "ETDA", "reports": null }, { "id": "7ea1e0de-53b9-4059-802f-485884180701", "created_at": "2022-10-25T16:07:24.04846Z", "updated_at": "2026-04-10T02:00:04.84985Z", "deleted_at": null, "main_name": "Patchwork", "aliases": [ "APT-C-09", "ATK 11", "Capricorn Organisation", "Chinastrats", "Dropping Elephant", "G0040", "Maha Grass", "Quilted Tiger", "TG-4410", "Thirsty Gemini", "Zinc Emerson" ], "source_name": "ETDA:Patchwork", "tools": [ "AndroRAT", "Artra Downloader", "ArtraDownloader", "AutoIt backdoor", "BADNEWS", "BIRDDOG", "Bahamut", "Bozok", "Bozok RAT", "Brute Ratel", "Brute Ratel C4", "CinaRAT", "Crypta", "ForeIT", "JakyllHyde", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "NDiskMonitor", "Nadrac", "PGoShell", "PowerSploit", "PubFantacy", "Quasar RAT", "QuasarRAT", "Ragnatela", "Ragnatela RAT", "SocksBot", "TINYTYPHON", "Unknown Logger", "WSCSPL", "Yggdrasil" ], "source_id": "ETDA", "reports": null }, { "id": "c81067e0-9dcb-4e3f-abb0-80126519c5b6", "created_at": "2022-10-25T15:50:23.285448Z", "updated_at": "2026-04-10T02:00:05.282202Z", "deleted_at": null, "main_name": "Patchwork", "aliases": [ "Hangover Group", "Dropping Elephant", "Chinastrats", "Operation Hangover" ], "source_name": "MITRE:Patchwork", "tools": [ "NDiskMonitor", "QuasarRAT", "BackConfig", "TINYTYPHON", "AutoIt backdoor", "PowerSploit", "BADNEWS", "Unknown Logger" ], "source_id": "MITRE", "reports": null }, { "id": "caf95a6f-2705-4293-9ee1-6b7ed9d9eb4c", "created_at": "2022-10-25T15:50:23.472432Z", "updated_at": "2026-04-10T02:00:05.352882Z", "deleted_at": null, "main_name": "Confucius", "aliases": [ "Confucius", "Confucius APT" ], "source_name": "MITRE:Confucius", "tools": [ "WarzoneRAT" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434954, "ts_updated_at": 1775792018, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/99f2020eac7ef80a3e840e280c5b307fc741494c.pdf", "text": "https://archive.orkl.eu/99f2020eac7ef80a3e840e280c5b307fc741494c.txt", "img": "https://archive.orkl.eu/99f2020eac7ef80a3e840e280c5b307fc741494c.jpg" } }