{ "id": "cb24a130-73d9-4f28-bdb0-b85dab874582", "created_at": "2026-04-06T00:21:54.942424Z", "updated_at": "2026-04-10T03:33:50.200675Z", "deleted_at": null, "sha1_hash": "a110d78ce9322857fd7d8f5f6d90f1eb6eb07c3e", "title": "Bahamut, Confucius and Patchwork Connected to Urpage", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 75886, "plain_text": "Bahamut, Confucius and Patchwork Connected to Urpage\r\nBy By: Daniel Lunghi, Ecular Xu Aug 29, 2018 Read time: 6 min (1672 words)\r\nPublished: 2018-08-29 · Archived: 2026-04-05 14:16:42 UTC\r\nIn the process of monitoring changes in the threat landscape, we get a clearer insight into the way threat actors\r\nwork behind the schemes. In this case we dig deeper into the possible connection between cyberattacks by\r\nfocusing on the similarities an unnamed threat actor shares with Confuciusopen on a new tab, Patchworkopen on a\r\nnew tab, and another threat actor called Bahamutopen on a new tab. For the sake of this report, we will call this\r\nunnamed threat actor “Urpage.”\r\nWhat sets Urpage attacks apart is its targeting of InPage, a word processor for Urdu and Arabic languages.\r\nHowever, its Delphi backdoor component, which it has in common with Confucius and Patchwork, and its\r\napparent use of Bahamut-like malware, is what makes it more intriguing as it connects Urpage to these other\r\nknown threats. In our previous entryopen on a new tab, we already covered the Delphi component in the context\r\nof the Confucius and Patchwork connection. We mentioned Urpage as a third unnamed threat actor connected to\r\nthe two. This time, we look into Urpage to gain a deeper insight into the way several threat actors' actions\r\nintersect.\r\nThe Bahamut Link\r\nFake websites\r\nThe link between Bahamut and Urpage can be best discussed by way of the multiple malicious Android samples\r\nthat matched Bahamut's code and had C\u0026C belonging to the Urpage infrastructure. Some of these C\u0026C websites\r\nalso act as phishing sites that lure users into downloading these very applications. The threat actor sets up these\r\nfake websites describing the application and linking to the Google Play Store to download it, like in the case of the\r\nmalicious website, pikrpro[.]eu, seen below\r\nintel\r\nAnother sample website involved the use of a closely copied version of an existing website, with slight changes in\r\nthe logo and options above the page. The download links were also replaced to download the malicious Android\r\napplication instead.\r\nintel\r\nFigure 1. Original (top) and modified (bottom) website\r\nUpon writing this entry, we’ve coordinated with Google to ensure that the malicious applications these C\u0026C sites\r\nadvertise are no longer available for download on the Google Play Store. It is important to note however, that not\r\nall C\u0026C websites for Urpage advertise malicious applications.  Some simply contain a random template with\r\nempty categories, likely as a ploy to hide its malicious activities.\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/the-urpage-connection-to-bahamut-confucius-and-patchwork/\r\nPage 1 of 5\n\nAndroid targeting\r\nAs with Bahamut applications, once downloaded and executed, it showed multiple malicious features that deal\r\nwith stealing information. Some of these features are listed below.\r\nRetrieves basic information like network information and MAC address from an infected phone\r\nSMS stealing\r\nContacts stealing\r\nAudio recording\r\nGPS location retrieval\r\nSteals files with the specific extensions, although not all samples target these extensions.\r\nFile type File extensions\r\nDocument files .txt, .csv, .doc, .docx, .xls, .xlsx, .pdf\r\nWhatsApp databases .db.crypt5 to .db.crypt12\r\nGeolocation related files .kml, .kmz,  .gmx, .aqm\r\nAudio files .mp3, .opus\r\nVideos .mp4, .amr, .wmv, .3gp,\r\nPictures .jpeg, .jpg\r\nOf note is one specific application that had a different purpose from the others. This application has the same\r\nencryption routine as other Urpage applications. Instead of stealing documents or images, it works on top of a\r\nmodified version of the legitimate Threema, an end-to-end encrypted messaging application, to steal screenshots\r\nof messages.\r\nThis application has the same icon and label as the legitimate Threema. Once launched, it drops a modified APK\r\nversion of Threema and prompts the user to install the application. The malicious application then hides its icon on\r\nthe device but still runs in the background, while the modified Threema works like normal. Unknown to the user,\r\nthe code in the modified Threema allows it to take screenshots of itself every 10 seconds. These images are stored\r\nin the location/sdcard/Android/data/ch.threema.app/DataData directory, while the “dropper” or the malicious\r\napplication working in the background uploads the images to the C\u0026C for the threat actor to access.\r\nintel\r\nFigure 2. Comparison of legitimate Threema code (left) to the modified version (right) with the inserted code\r\nOther activities\r\nAside from acting as a C\u0026C and distributing Bahamut-like malware, some of these websites also serve as the host\r\nfor other malicious documents. These other activities further establish the link of Urpage — and consequently\r\nBahamut — to other threat actors.\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/the-urpage-connection-to-bahamut-confucius-and-patchwork/\r\nPage 2 of 5\n\nTake, for example, the previously mentioned pikrpro[.]eu. This C\u0026C website also acts as host not only for the\r\nmalicious Android application but also for two other malicious documents listed here.\r\nA malicious RTF file that exploits the CVE-2017-8750 and drops a malicious VB backdoor with C\u0026C\r\nappswonder[.]info\r\nA malicious InPage file that exploits CVE-2017-12824 and drops two files, one non-malicious, and one\r\nmalicious VB backdoor with C\u0026C referfile[.]com\r\nTalos recently reported both C\u0026C domain names with one type of campaign that targets iOS and involves MDM,\r\nand another type using VB and Delphi backdoors. This leads us back to the Confucius and Patchwork link.\r\nThe Confucius Link\r\nIn our previous entry, we already discussed how Confucius used the same Delphi file stealer as Urpage. Digging\r\ninto Urpage, we found another link—two malicious RTF files that exploit different vulnerabilities but download a\r\nsimilar script (detected as TROJ_POWLOAD.GAA) containing two base64-encoded URLs. One of the URLs is\r\nfor the decoy document, while the other one is for the payload.\r\nOne of the RTF files was found in a server related to Confucius\r\n(f1a54dca2fdfe59ec3f537148460364fb5d046c9b4e7db5fc819a9732ae0e063, detected as\r\nTROJ_CVE201711882.AG), while the other one\r\n(434d34c0502910c562f5c6840694737a2c82a8c44004fa58c7c457b08aac17bd,detected as Mal_CVE20170199-2)\r\ndownloaded a VB Backdoor that pings back to twitck[.]com, a domain name belonging to Urpage.\r\nThe Patchwork Link\r\nPatchwork also uses the Delphi file stealer as a similarity with Urpage, which suggests the three groups are\r\nsomehow related. But this link is further fortified by the Android applications we found whose code is like that of\r\nBahamut, with the C\u0026C matching the usual name registration pattern of Patchwork’s group, as well as an\r\ninfrastructure close to an old Patchwork domain. Of note was how the C\u0026C was not encrypted in the application\r\ncode, despite the fact that it contained the same encryption routines as other samples. Patchwork has also recently\r\nemployed Android malware in its attacks, with its use of a customized version of AndroRAT.\r\nSummary\r\nThe many similarities and connections show that threat actors do not work in isolation, and that attacks do not\r\nnecessarily appear from out of nowhere. This may even suggest that a single development team may be behind\r\nthis attack — maybe a single paid group that has sold its tools and services to other groups with different goals\r\nand targets.open on a new tabWe’ve summarized all the mentioned findings in the table below.\r\n  Urpage Bahamut Confucius Patchwork\r\n\"BioData\" Delphi backdoor and file stealer X   X X\r\nVB backdoor X      \r\nAndroid \"Bahamut-like\" malware X X   X\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/the-urpage-connection-to-bahamut-confucius-and-patchwork/\r\nPage 3 of 5\n\nCustom Android malware     X  \r\nAndroRAT Android malware       X\r\nInPage malicious documents X   X  \r\nsimply obfuscated HTA downloaders X   X  \r\nIOS malware X      \r\nConfucius malware     X  \r\nremote-access-c3 backdoor     X  \r\nSneepy/Byebye shell malware     X  \r\nPython cloud filestealers     X  \r\nAllaKore RAT     X  \r\nBadnews malware       X\r\nQuasarRAT       X\r\nNDiskMonitor malware       X\r\nTargets\r\nWe did not find Urpage victims in our telemetry, likely because of the targeted nature of these attacks. However,\r\nthe domains used by Urpage provided hints about its target.\r\nFor one, there is the domain pikrpro[.]eu and its subdomains—the islamicfinderfeedback[.]pikrpro[.]eu and the\r\nmemrifilesforinfo[.]pikpro[.]eu. The two pose as legitimate groups and websites that provide services to Islam\r\nfollowers and users from the Middle East.\r\nAdditionally, many of the files related to the Urpage domains are auto-extractable files that drop Delphi or VB\r\nbackdoor and open a decoy document. The decoy documents tell more about Urpage's possible targets, as it\r\ncontains text from articles about the region of Kashmir. The header for a sample document can be seen below.\r\nintel\r\nThe documents can also be image files with the same theme, as can be seen here.\r\nintel\r\nMultiple Android applications further drive this notion, as they provide services based on the interests of users in\r\nthat region. They have a malicious application that provides services for religion, as well as popular sports in the\r\nregion.\r\nintel\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/the-urpage-connection-to-bahamut-confucius-and-patchwork/\r\nPage 4 of 5\n\nFigure 3. Malicious application for observing Ramadan\r\nintel\r\nFigure 4. Malicious application for cricket news\r\nSolutions and Mitigation\r\nTaking note of these similarities and connections can help organizations and users in their continued defense\r\nagainst Urpage, Bahamut, Confucius, and Patchwork. The connection of Urpage to the other three threat actors\r\ndemonstrate that cyberattacks don’t exist in silos and that it hints at a circulation of knowledge and technologies\r\nthat help in the continuing evolution of different malicious campaigns. Given this knowledge, organizations must\r\nbe more vigilant in monitoring threats, as changes in one may mean that changes in others could follow.\r\nOrganizations can develop defenses against the social engineering component these four threat actors have in\r\ncommon. Users should be able to identify the indicators of a social engineering campaign. Paying close attention\r\nto the domain name of a website before performing any further action can also help mitigate threats, including\r\nthreats like Urpage that have targeted victims.\r\nAs an additional defense against the growing use of malicious mobile applications, enterprises and end users can\r\nbenefit from multilayered mobile security solutions such as Trend Micro™ Mobile Security for\r\nAndroid™products which is also available on Google Play. Trend Micro’s Mobile App Reputation\r\nService (MARS) covers Android and iOS threats using leading sandbox and machine learning technologies. It can\r\nprotect users against malware, zero-day and known exploits, privacy leaks, and application vulnerability.\r\nFor organizations, Trend Micro™ Mobile Security for Enterpriseproducts provides device, compliance and\r\napplication management, data protection, and configuration provisioning. It also protects devices from attacks that\r\nleverage vulnerabilities, preventing unauthorized access to apps, as well as detecting and blocking malware and\r\nfraudulent websites.\r\nThe Trend Micro™ Deep Discoveryopen on a new tab™ threat protection platform enables organizations to\r\ndetect, analyze, and respond to modern threats such as sophisticated malware, targeted attacks, and APTs.\r\nTrend Micro™ Smart Protection for Endpointsproducts with Maximum XGen™ security infuses high-fidelity machine learningopen on a new tab into a blend of threat protection techniques to eliminate security gaps\r\nacross user activity and any endpoint, offering the broadest possible protection against advanced attacks.\r\nThis appendixopen on a new tab contains the latest Indicators of Compromise (IOCs) related to the different\r\ngroups.\r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/the-urpage-connection-to-bahamut-confucius-and-patchwork/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/the-urpage-connection-to-bahamut-confucius-and-patchwork/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://blog.trendmicro.com/trendlabs-security-intelligence/the-urpage-connection-to-bahamut-confucius-and-patchwork/" ], "report_names": [ "the-urpage-connection-to-bahamut-confucius-and-patchwork" ], "threat_actors": [ { "id": "732bfd4b-8c15-42a5-ac4b-14a9a4b902e9", "created_at": "2022-10-25T16:07:23.38079Z", "updated_at": "2026-04-10T02:00:04.574399Z", "deleted_at": null, "main_name": "Bahamut", "aliases": [], "source_name": "ETDA:Bahamut", "tools": [ "Bahamut", "DownPaper" ], "source_id": "ETDA", "reports": null }, { "id": "37714790-40c0-4b6b-8e49-1c8f45a0463f", "created_at": "2022-10-25T16:07:24.37091Z", "updated_at": "2026-04-10T02:00:04.961707Z", "deleted_at": null, "main_name": "Urpage", "aliases": [], "source_name": "ETDA:Urpage", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4", "created_at": "2025-08-07T02:03:25.123407Z", "updated_at": "2026-04-10T02:00:03.668131Z", "deleted_at": null, "main_name": "ZINC EMERSON", "aliases": [ "Confucius ", "Dropping Elephant ", "EHDevel ", "Manul ", "Monsoon ", "Operation Hangover ", "Patchwork ", "TG-4410 ", "Viceroy Tiger " ], "source_name": "Secureworks:ZINC EMERSON", "tools": [ "Enlighten Infostealer", "Hanove", "Mac OS X KitM Spyware", "Proyecto2", "YTY Backdoor" ], "source_id": "Secureworks", "reports": null }, { "id": "f99641e0-2688-47b0-97bc-7410659d49a0", "created_at": "2023-01-06T13:46:38.802141Z", "updated_at": "2026-04-10T02:00:03.106084Z", "deleted_at": null, "main_name": "Bahamut", "aliases": [], "source_name": "MISPGALAXY:Bahamut", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7a8dbc5e-51a8-437a-8540-7dcb1cc110b8", "created_at": "2022-10-25T16:07:23.482856Z", "updated_at": "2026-04-10T02:00:04.627414Z", "deleted_at": null, "main_name": "Confucius", "aliases": [ "G0142" ], "source_name": "ETDA:Confucius", "tools": [ "ApacheStealer", "ByeByeShell", "ChatSpy", "Confucius", "MY24", "Sneepy", "remote-access-c3", "sctrls", "sip_telephone", "swissknife2" ], "source_id": "ETDA", "reports": null }, { "id": "7ea1e0de-53b9-4059-802f-485884180701", "created_at": "2022-10-25T16:07:24.04846Z", "updated_at": "2026-04-10T02:00:04.84985Z", "deleted_at": null, "main_name": "Patchwork", "aliases": [ "APT-C-09", "ATK 11", "Capricorn Organisation", "Chinastrats", "Dropping Elephant", "G0040", "Maha Grass", "Quilted Tiger", "TG-4410", "Thirsty Gemini", "Zinc Emerson" ], "source_name": "ETDA:Patchwork", "tools": [ "AndroRAT", "Artra Downloader", "ArtraDownloader", "AutoIt backdoor", "BADNEWS", "BIRDDOG", "Bahamut", "Bozok", "Bozok RAT", "Brute Ratel", "Brute Ratel C4", "CinaRAT", "Crypta", "ForeIT", "JakyllHyde", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "NDiskMonitor", "Nadrac", "PGoShell", "PowerSploit", "PubFantacy", "Quasar RAT", "QuasarRAT", "Ragnatela", "Ragnatela RAT", "SocksBot", "TINYTYPHON", "Unknown Logger", "WSCSPL", "Yggdrasil" ], "source_id": "ETDA", "reports": null }, { "id": "c81067e0-9dcb-4e3f-abb0-80126519c5b6", "created_at": "2022-10-25T15:50:23.285448Z", "updated_at": "2026-04-10T02:00:05.282202Z", "deleted_at": null, "main_name": "Patchwork", "aliases": [ "Hangover Group", "Dropping Elephant", "Chinastrats", "Operation Hangover" ], "source_name": "MITRE:Patchwork", "tools": [ "NDiskMonitor", "QuasarRAT", "BackConfig", "TINYTYPHON", "AutoIt backdoor", "PowerSploit", "BADNEWS", "Unknown Logger" ], "source_id": "MITRE", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "8fddd571-37dc-4bb2-84b4-e41ac6fd11f5", "created_at": "2024-02-08T02:00:04.32487Z", "updated_at": "2026-04-10T02:00:03.584509Z", "deleted_at": null, "main_name": "Urpage", "aliases": [], "source_name": "MISPGALAXY:Urpage", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ada9e5d3-1cb2-4b70-a3c8-96808c304ac8", "created_at": "2022-10-25T15:50:23.6515Z", "updated_at": "2026-04-10T02:00:05.352078Z", "deleted_at": null, "main_name": "Windshift", "aliases": [ "Windshift", "Bahamut" ], "source_name": "MITRE:Windshift", "tools": [ "WindTail" ], "source_id": "MITRE", "reports": null }, { "id": "caf95a6f-2705-4293-9ee1-6b7ed9d9eb4c", "created_at": "2022-10-25T15:50:23.472432Z", "updated_at": "2026-04-10T02:00:05.352882Z", "deleted_at": null, "main_name": "Confucius", "aliases": [ "Confucius", "Confucius APT" ], "source_name": "MITRE:Confucius", "tools": [ "WarzoneRAT" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434914, "ts_updated_at": 1775792030, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a110d78ce9322857fd7d8f5f6d90f1eb6eb07c3e.pdf", "text": "https://archive.orkl.eu/a110d78ce9322857fd7d8f5f6d90f1eb6eb07c3e.txt", "img": "https://archive.orkl.eu/a110d78ce9322857fd7d8f5f6d90f1eb6eb07c3e.jpg" } }