{ "id": "93285cae-1858-474e-a2d6-7080e1c12cc4", "created_at": "2026-04-06T00:14:13.548223Z", "updated_at": "2026-04-10T03:33:38.118013Z", "deleted_at": null, "sha1_hash": "ae53a415e782e83dafff48a3d2a55f2bf2c85d39", "title": "Threat Group Cards: A Threat Actor Encyclopedia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 49954, "plain_text": "Threat Group Cards: A Threat Actor Encyclopedia\r\nArchived: 2026-04-05 17:00:47 UTC\r\nHome \u003e List all groups \u003e List all tools \u003e List all groups using tool sctrls\r\n Tool: sctrls\r\nNames sctrls\r\nCategory Malware\r\nType Reconnaissance, Backdoor, Downloader\r\nDescription\r\n(Trend Micro) The sctrls backdoor has these functions:\r\n• Compute the unique identifier (hash) from the username and computer name.\r\n• Register a new user on the C\u0026C server; this registration creates a new folder with hash name\r\n(\u003csome_name\u003e.php?b=\u003chash\u003e).\r\n• Read contents of the folder with the hash name from the C\u0026C server, then download and run\r\nexecutables from that particular folder.\r\nThe malware operators can then upload binaries of shells or file stealers that will be executed\r\ninto the respective folders. The directories of their C\u0026C server were unsecured, and we were\r\nable to access all their registered victims (hashes) - numbering around 50 - as well as the other\r\nbackdoors and file stealers in their employ.\r\nInformation\r\n\u003chttps://documents.trendmicro.com/assets/research-deciphering-confucius-cyberespionage-operations.pdf\u003e\r\nLast change to this tool card: 20 April 2020\r\nDownload this tool card in JSON format\r\nAll groups using tool sctrls\r\nChanged Name Country Observed\r\nAPT groups\r\n  Confucius 2013-Aug 2021  \r\n1 group listed (1 APT, 0 other, 0 unknown)\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f169f172-39e0-4605-bc70-6a4fd090f0b6\r\nPage 1 of 2\n\nSource: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f169f172-39e0-4605-bc70-6a4fd090f0b6\r\nhttps://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f169f172-39e0-4605-bc70-6a4fd090f0b6\r\nPage 2 of 2\n\nAPT groups Confucius 2013-Aug 2021 \n1 group listed (1 APT, 0 other, 0 unknown) \n Page 1 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=f169f172-39e0-4605-bc70-6a4fd090f0b6" ], "report_names": [ "listgroups.cgi?u=f169f172-39e0-4605-bc70-6a4fd090f0b6" ], "threat_actors": [ { "id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4", "created_at": "2025-08-07T02:03:25.123407Z", "updated_at": "2026-04-10T02:00:03.668131Z", "deleted_at": null, "main_name": "ZINC EMERSON", "aliases": [ "Confucius ", "Dropping Elephant ", "EHDevel ", "Manul ", "Monsoon ", "Operation Hangover ", "Patchwork ", "TG-4410 ", "Viceroy Tiger " ], "source_name": "Secureworks:ZINC EMERSON", "tools": [ "Enlighten Infostealer", "Hanove", "Mac OS X KitM Spyware", "Proyecto2", "YTY Backdoor" ], "source_id": "Secureworks", "reports": null }, { "id": "7a8dbc5e-51a8-437a-8540-7dcb1cc110b8", "created_at": "2022-10-25T16:07:23.482856Z", "updated_at": "2026-04-10T02:00:04.627414Z", "deleted_at": null, "main_name": "Confucius", "aliases": [ "G0142" ], "source_name": "ETDA:Confucius", "tools": [ "ApacheStealer", "ByeByeShell", "ChatSpy", "Confucius", "MY24", "Sneepy", "remote-access-c3", "sctrls", "sip_telephone", "swissknife2" ], "source_id": "ETDA", "reports": null }, { "id": "caf95a6f-2705-4293-9ee1-6b7ed9d9eb4c", "created_at": "2022-10-25T15:50:23.472432Z", "updated_at": "2026-04-10T02:00:05.352882Z", "deleted_at": null, "main_name": "Confucius", "aliases": [ "Confucius", "Confucius APT" ], "source_name": "MITRE:Confucius", "tools": [ "WarzoneRAT" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434453, "ts_updated_at": 1775792018, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ae53a415e782e83dafff48a3d2a55f2bf2c85d39.pdf", "text": "https://archive.orkl.eu/ae53a415e782e83dafff48a3d2a55f2bf2c85d39.txt", "img": "https://archive.orkl.eu/ae53a415e782e83dafff48a3d2a55f2bf2c85d39.jpg" } }