{ "id": "e90b3a9f-6791-4f6e-bd5b-1dc69f01dfee", "created_at": "2026-04-06T00:13:25.383231Z", "updated_at": "2026-04-10T03:33:38.106414Z", "deleted_at": null, "sha1_hash": "c2273eba6ef71613e99154a831f18fca5f7b5326", "title": "Confucius APT Android Spyware Linked to India-Pakistan Conflict", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2083162, "plain_text": "Confucius APT Android Spyware Linked to India-Pakistan\r\nConflict\r\nBy Lookout\r\nPublished: 2021-02-10 · Archived: 2026-04-05 14:49:35 UTC\r\nThe Lookout Threat Intelligence team has discovered two novel Android surveillanceware – Hornbill and\r\nSunBird. We believe with high confidence that these surveillance tools are used by the advanced persistent threat\r\ngroup (APT) Confucius, which first appeared in 2013 as a state-sponsored, pro-India actor primarily pursuing\r\nPakistani and other South Asian targets.1 2\r\nWhile primarily known for desktop malware, the Confucius group was previously reported to have started\r\nleveraging mobile malware in 2017, with the Android surveillanceware ChatSpy.3 However, our discovery of\r\nSunBird and Hornbill shows that Confucius may have been spying on mobile users up to a year before it started\r\nusing ChatSpy.  \r\nTargets of these tools include personnel linked to Pakistan’s military, nuclear authorities, and Indian election\r\nofficials in Kashmir. Hornbill and SunBird have sophisticated capabilities to exfiltrate SMS, encrypted messaging\r\napp content, and geolocation, among other types of sensitive information.        \r\nSunBird has been disguised as applications that include:\r\nSecurity services, such as the fictional “Google Security Framework”\r\nApps tied to specific locations (“Kashmir News”) or activities (“Falconry Connect” and “Mania Soccer”)\r\nIslam-related applications (“Quran Majeed”).\r\nThe majority of applications appear to target Muslim individuals.\r\nLookout named Hornbill after the Indian Grey Hornbill, which is the state bird of Chandigarh and where the\r\ndevelopers of Hornbill are located. SunBird’s name was derived from the malicious services within the malware\r\ncalled “SunService” and the sunbird is also native to India.\r\nMalicious functionality and impact of both SunBird and Hornbill\r\nhttps://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict\r\nPage 1 of 15\n\nHornbill and SunBird have both similarities and differences in the way they operate on an infected device. While\r\nSunBird features remote access trojan (RAT) functionality – a malware that can execute commands on an infected\r\ndevice as directed by an attacker – Hornbill is a discreet surveillance tool used to extract a selected set of data of\r\ninterest to its operator.\r\nBoth of the malware can exfiltrate a wide range of data, such as:\r\nCall logs\r\nContacts\r\nDevice metadata including phone number, IMEI/Android ID, Model and Manufacturer and Android\r\nversion\r\nGeolocation\r\nImages stored on external storage\r\nWhatsApp voice notes, if installed\r\nBoth malware are also able to perform the following actions on device:\r\nRequest device administrator privileges\r\nTake screenshots, capturing whatever a victim is currently viewing on their device\r\nTake photos with the device camera\r\nRecord environment and call audio\r\nScrape WhatsApp messages and contacts via accessibility services\r\nScrape WhatsApp notifications via accessibility services\r\nSunBird-specific functionality\r\nSunBird has a more extensive set of malicious capabilities than Hornbill. It attempts to upload all data it has\r\naccess to at regular intervals to its command and control (C2) servers. Locally on the infected device, the data is\r\ncollected in SQLite databases which are then compressed into ZIP files as they are uploaded to C2 infrastructure.\r\nSunBird can exfiltrate the following list of data, in addition to the list above:\r\nList of installed applications\r\nBrowser history\r\nCalendar information\r\nBlackBerry Messenger (BBM) audio files, documents and images\r\nWhatsApp Audio files, documents, databases, voice notes and images\r\nContent sent and received via IMO instant messaging application\r\nIn addition to the list of actions above, SunBird can also perform the following actions:\r\nDownload attacker specified content from FTP shares\r\nRun arbitrary commands as root, if possible\r\nScrape BBM messages and contacts via accessibility services\r\nhttps://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict\r\nPage 2 of 15\n\nScrape BBM notifications via accessibility services\r\nSamples of SunBird have been found hosted on third-party app stores, indicating one possible\r\ndistribution mechanism. Considering many of these malware samples are trojanized – as in they\r\ncontain complete user functionality – social engineering may also play a part in convincing targets\r\nto install the malware. No use of exploits was observed directly by Lookout researchers.\r\nHornbill-specific functionality\r\nIn contrast, Hornbill is more of a passive reconnaissance tool than SunBird. Not only does it target a limited set of\r\ndata, the malware only uploads data when it initially runs and not at regular intervals like SunBird. After that, it\r\nonly uploads changes in data to keep mobile data and battery usage low. The upload occurs when data monitored\r\nby Hornbill changes, such as when SMS, or WhatsApp notifications are received or calls are made from the\r\ndevice.\r\nHornbill is keenly interested in the state of an infected device and closely monitors the use of resources. For\r\nexample, if the device is low on memory, it triggers the garbage collector. In addition to the list of exfiltrated data\r\nmentioned earlier, Hornbill also collects hardware information. For example, the malware can check if a device’s\r\nscreen is locked, the amount of available internal and external storage and whether WiFi and GPS are enabled.\r\nHornbill only logs location information if it deems the changes to be significant enough from the previously\r\nrecorded location – if the difference between the corresponding latitudes and longitudes differ by more than\r\n0.0006 which is roughly 70 metres.\r\nhttps://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict\r\nPage 3 of 15\n\nData collected by Hornbill is stored in hidden folders on external storage. Once call recordings or audio recordings\r\nare uploaded to C2 infrastructure they are deleted from the device to avoid suspicion.\r\nLocation on External Storage Type of Data Collected\r\n/sdcard/.system0/.ia Audio (environment) recordings\r\n/sdcard/.system0/.cr Call recordings\r\n/sdcard/.system0/.tempo Temporary location used for testing upload to C2 infrastructure\r\n/sdcard/.system0/.is/.iss Screenshots\r\n/sdcard/.system0/.is/.ifcc Front camera “clicks” (photos)\r\n/sdcard/.system0/.is/.ircc Rear camera “clicks” (photos)\r\nHornbill uses a unique set of server paths to communicate to C2 infrastructure. These are listed below along with\r\nwhat action Hornbill takes when sending HTTP POST requests to each.\r\nUnique Server\r\nPaths\r\nAction\r\n/SignUp\r\nRegisters either a Device ID or User ID with a hardcoded password for further data\r\nexfiltration\r\n/UploadFile Uploads file\r\n/SaveMessages Bulk saves messages\r\n/SaveCallLogs Bulk saves call logs\r\n/SaveContactDetails Bulk saves contacts\r\n/SaveGpsDetails Bulk saves GPS location\r\n/UpdateMobileState Saves directory structure\r\n/UpdateMobileState Queries C2 for queued and removed commands\r\nThe operators behind Hornbill are extremely interested in a user’s WhatsApp communications. In addition to\r\nexfiltrating message content and sender information of messages, Hornbill records WhatsApp calls by detecting\r\nan active call by abusing Android’s accessibility services. The exploitation of Android’s accessibility services in\r\nthis manner is a trend we are observing frequently in Android surveillanceware. This enables the threat actor to\r\navoid the need for privilege escalation on a device.\r\nhttps://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict\r\nPage 4 of 15\n\nLastly, Hornbill searches for and monitors activity on any documents stored on external storage with the following\r\nsuffixes: \".doc\", \".pdf\", \".ppt\", \".docx\", \".xlsx\", \".txt\". Whenever a document is created, opened, closed, modified,\r\nmoved or deleted, this action is logged by Hornbill. Functionality exists to modify this list of suffixes, but is\r\nincomplete in the samples we have observed. The latest samples of Hornbill show that this malware threat may\r\nstill be under development.\r\nDevelopment timelines\r\nThe newest Hornbill sample was identified by Lookout’s app analysis engine as recently as December 2020,\r\nsuggesting the malware may still be active today. Both ChatSpy and Hornbill’s packaging dates appeared to have\r\nbeen tampered with, but we first observed them in January 2018 and May 2018 respectively.\r\nLookout first observed SunBird in January 2017, but unlike the other two malware families, the packaging dates\r\nappear legitimate, indicating the malware was likely in development between December 2016 and early 2019.\r\nHornbill, which Lookout first saw in May 2018, is actively deployed. We observed new samples as\r\nrecently as December 2020. The first SunBird sample was seen as early as 2017 and as late as\r\nDecember 2019.\r\nTargeting\r\nhttps://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict\r\nPage 5 of 15\n\nTo better understand who SunBird may have been deployed against, we analyzed over 18GB of exfiltrated data\r\nthat was publicly exposed from at least six insecurely configured C2 servers. All data uploaded to the C2\r\ninfrastructure included the locale of the infected devices. This information, combined with the data content, gave\r\nus extensive insight into who was being targeted by this malware family and the kind of information the attackers\r\nwere after.\r\nSome notable targets included an individual who applied for a position at the Pakistan Atomic Energy\r\nCommission, individuals with numerous contacts in the Pakistan Air Force (PAF), as well as officers responsible\r\nfor electoral rolls (Booth Level Officers) located in the Pulwama district of Kashmir.\r\nBased on the locale and country code information of infected devices and exfiltrated content, we\r\nthink SunBird may have roots as a commercial Android surveillanceware. The data included\r\ninformation on victims in Europe and the United States, some of which appear to be targets of\r\nspouseware or stalkerware. It also included data on Pakistani nationals in Pakistan, India and the\r\nUnited Arab Emirates that we believe may be targeted by Confucius APT campaigns between 2018\r\nand 2019.\r\nMalware development and commercial surveillance roots\r\nBoth Hornbill and SunBird appear to be evolved versions of commercial Android surveillance tooling. Hornbill\r\nseems to be derived from the same code base as a previously active commercial surveillanceware product known\r\nas MobileSpy. 5 It is unclear how the developers of Hornbill acquired the code, but the company behind\r\nMobileSpy, Retina-X Studios, shut down their surveillance software products in May 2018 after being hacked\r\ntwice. 6 Links between the Hornbill developers indicate they all appear to have worked together at a number of\r\nAndroid and iOS app development companies registered and operating in or near Chandigarh, Punjab, India. In\r\nhttps://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict\r\nPage 6 of 15\n\n2017, one developer claimed to be working at India’s Defence Research and Development Organisation (DRDO)\r\non their LinkedIn profile.\r\nSunBird looks to have been created by Indian developers who also produced another commercial spyware\r\nproduct, which we dubbed BuzzOut. 7 The theory that SunBird’s roots lay in stalkerware was also supported by\r\nthe content found in the exfiltrated data we uncovered. The data included information on stalkerware victims, as\r\nwell as Pakistani nationals living in Pakistan and traveling in the UAE and India. This data suggests that SunBird\r\ncould have been sold to an actor that selectively deployed it to gather intelligence on targeted individuals. Similar\r\nbehavior was observed with Stealth Mango and Tangelo, two nation state mobile surveillanceware Lookout\r\nresearchers discovered in 2018. 8\r\nExfiltrated data\r\nDuring this investigation, we were able to access exfiltrated data for SunBird whose C2 infrastructure had been\r\ninsufficiently secured.\r\nThis is a breakdown of types of data SunBird exfiltrated. This data is from publicly-accessible\r\nexfiltrated content exposed on SunBird C2 servers for 5 campaigns between 2018 and 2019. We\r\nfound another 12 GB of data exfiltrated on another C2 server 23.82.19[.]250. The default language\r\nof this server was set up as Chinese when discovered by Lookout researchers. This may be a false\r\nflag or may have been altered by a third party. This also makes it difficult to confirm if all of the\r\ndata originated from infections of actual target devices.\r\nhttps://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict\r\nPage 7 of 15\n\nFrequency of infected devices’ locale and country code settings (translated to languages and\r\ncountries) as packaged within publicly-accessible exfiltrated data. This data includes both the\r\nConfucius APT targets and spouseware victims of SunBird.\r\nLeft:One particular SunBird C2 server was found to also be exposing a log file containing IP\r\naddresses of those that logged into the administrator panel. The majority of these were distributed\r\nthroughout India. Right: Geo-location data captured from a publicly-exposed database found on\r\nanother Sunbird C2 IP 23.82.19[.]250. Almost all data stored on this server referenced phone\r\nnumbers of various locations in northern India. The second most common region for phone numbers\r\nwas Pakistan.\r\nWithin the exfiltrated data, one particular victim caught our interest. This individual was using WhatsApp to\r\ncorrespond with someone applying for a position at the Pakistan Nuclear Regulatory Authority in 2017. In 2018,\r\nmessages were uncovered from someone applying for a position at the Pakistan Atomic Energy Commission.9\r\nhttps://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict\r\nPage 8 of 15\n\nAdditional exfiltrated data from late 2018 and early 2019 indicated that SunBird was being used to monitor Booth\r\nLevel Officers10 responsible for field-level information regarding electoral rolls in the Pulwama district of\r\nKashmir. This time and location is significant as Pulwama suffered a suicide bombing attack in February 2019,\r\nwhich increased tensions between India and Pakistan. The start date of active monitoring of this target on C2\r\nservers coincided with the start of the Indian general elections held in April 2019.\r\nContinuous data exfiltration data that occurred every ten minutes stopped at the end of 2018. Aside\r\nfrom one brief upload in January 2019, it suddenly picked up again on the 11th of April 2019. While\r\nthis may be coincidence, this is also the same day that the Indian general elections of 2019\r\nbegan.12\r\nA total of 156 victims were discovered in this new dataset and included phone numbers from India, Pakistan and\r\nKazakhstan.\r\nConfucius connection\r\nHornbill application icons impersonate various chat and system applications.\r\nSimilar to previous Confucius tactics seen with ChatSpy, Hornbill samples often impersonate chat applications\r\nsuch as Fruit Chat, Cucu Chat and Kako Chat. The related C2 infrastructure communicates on port 8080, a pattern\r\nalso seen on the desktop campaigns carried out by Confucius.14\r\nhttps://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict\r\nPage 9 of 15\n\nThe Confucius group is well known for impersonating legitimate services to cover their tracks and confuse its\r\nvictims. Naming malicious apps similar to legitimate ones may be an attempt to gain a target’s trust. For example,\r\n“kako chat” may have been named due to its similarity to KakaoTalk.15 However, Kako Chat’s C2 server\r\n(chatk.goldenbirdcoin[.]com) references a defunct cryptocurrency by the same name.16 Cucu Chat may refer to a\r\nseemingly benign dating app of the same name that is available on third-party app stores such as APKPure.17, 18\r\nHowever, Cucu Chat communicates to the site http://wangu[.]xyz19 (also on port 8080) and itself appears to be an\r\nimpersonation of Wangu, an application which advertises itself as a chat app for Zimbabweans.20 The latest\r\nsample of Hornbill titled “Filos” trojanizes the Mesibo21 Android application for legitimate chat functionality.\r\nDuring our investigation, we noticed that Hornbill C2 infrastructure hosted HTML resources consistent with a\r\ncommercial spyware page, but missing its image resources.\r\nC2 servers for Hornbill were found to host HTML content from a commercial spyware.\r\n   Additionally, Hornbill carries out data exfiltration via the following unique set of server paths:\r\nhttps://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict\r\nPage 10 of 15\n\nWe found that the patterns noted above also existed on another domain samaatv[.]online. Although Lookout has\r\nnot directly observed an APK communicating to this domain, we think one likely exists. samaatv[.]online has\r\nresolved to the IP address 91.210.107[.]104 since May 2019, which encompasses the activity of this campaign.\r\nIn addition to this, we found the SunBird C2 domain pieupdate[.]online resolved to 91.210.107.111 in between\r\nFebruary 2019 and July 2019. This is also the timeframe in which we observed active campaigns by SunBird on\r\nthat infrastructure.\r\nWith the help of public reporting and Lookout’s dataset, we are confident that the Confucius APT group is actively\r\nusing the IPs between 91.210.107[.]103-91.210.107[.]112 to host a large portion of their infrastructure, both\r\npresently and in the past.\r\nAdditional open-source intelligence (OSINT) searches confirmed the above connections. We found a publicly-accessible 2018 Pakistani government advisory warning of a desktop malware campaign targeting officers and\r\ngovernment staff. The campaign described in it used phishing emails that impersonated various government\r\nagencies to deliver malicious Microsoft Word exploits. The Indicators of Compromise (IOCs) for this campaign\r\nincluded domains that were known Confucius infrastructure, leading us to believe the entire campaign could be\r\nattributed to that group.          \r\nOfficial Report from Pakistan’s Federal Bureau of Revenue on Malicious Activity.\r\nA particular point of interest on the advisory IoC list, and crucial in confirming Confucius connections, was\r\npieupdate[.]online, a C2 server for malicious desktop activity as well as SunBird mobile malware.\r\nhttps://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict\r\nPage 11 of 15\n\nHornbill malware has unique file paths with which to communicate with C2 servers. They also\r\ndisplay a unique Spyware HTML page. Lookout researchers uncovered another domain,\r\nsamaatv[.]online, which shares the same unique file paths and Spyware HTML page found on a\r\nHornbill C2 server, cucuchat[.]com. It is tied to known Confucius infrastructure by resolving to\r\n91.210.107[.]104, in the Confucius IP range.\r\nWe are confident SunBird and Hornbill are two tools used by the same actor, perhaps for different surveillance\r\npurposes.\r\nTo the best of our knowledge the apps described in this article were never distributed through Google Play. Users\r\nof Lookout security apps are protected from these threats.\r\nLookout Threat Advisory Services customers have already been notified with additional intelligence on this and\r\nother threats. Take a look at our Threat Advisory Services page to learn more.\r\nDisclaimer\r\nThe information provided in this report is based upon discovery tools and methods which are inherently imperfect\r\nand though it is our belief the information in this report is accurate at the time of its publishing the information is\r\nprovided “as is” with all faults, and Lookout Inc., assumes no liability for its accuracy or completeness, or one's\r\nuse or reliance upon the information contained therein.\r\nhttps://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict\r\nPage 12 of 15\n\nSHA-1 Hashes\r\nHornbill\r\nb6b239ccef57a261a254f5167357dc9096618939\r\n1f1bab3c5a60275384083ef9e2a5b9fe6c194a35\r\n704579a14a2ee80c89ad12019e19e50eb27dffea\r\n3372458b73d3d5c3957a75dfe6cff62c5cd3cd4f\r\n77867ddb68b68a340ccdb79bd9d46281d5956fa5\r\nc504cef5e0e04b15d21388e6f9cc2c320071d50b\r\n0cc49097778372fdf1ba2143e31a8f235342f9c9\r\nSunBird\r\n9b684cff07f98083bdb085cb846929ebca2c3df1\r\n2ecb5b88b12ba44cfce2f51df7f16fbd4754aea2\r\n665d23eda84cd008ccde013bde6a836976bcc4fc\r\na38931d68b26f04a94241f2155bcbf465b3fa99a\r\ndf5188225ab6de0a6e71635e997c4473c02d6527\r\ne01729e5ceb827318e5198a24a12ae6d6bbc4ab3\r\n8ae67888befb4f01f216d94f07051fc047150ceb\r\n41268c45dc2453469ea8a0a0c615bdb562d1d9de\r\na4161cfe2d6146566094ee979ea893cd2fe3ae72\r\n03d199cff2be8667932933d1bcb6bb58d364545a\r\nfc2929a021ca1e83f0d87ca9c9c85df0057373e5\r\na6128100cd9c505e12af16a163d4fea35c42808a\r\n6b75e6df7744a232a350658ad06e9574483a0b8b\r\nbe524a5a42b4b3f48f5571311f9be683024b6939\r\nBuzzOut\r\n2fd402c23f6827c049b92af19d4815c03cde407f\r\nhttps://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict\r\nPage 13 of 15\n\nb847ffa3d097c9eb1ddfc0dd3133582988fde885\r\n9b10e71f3d38e73d3637bf14d93404175bf4c276\r\nae1cd2a583082eeb540c567a051135d5147e97db\r\na0ed91b759a0015145ab301a3bba8f6cd868b394\r\nafdc1db55e84e868e8ecdb3489309e1e19453779\r\n27cabf2a24a87324f922becd5ae2dcf7bf4ae4bd\r\n6779ebdd14113ce304172b078d859684248ee114\r\n6bb91b2b97f08eb116982a5039d859ada94c37fd\r\ne3cd30bbc7e9e0b8c4275c4d2b8ac876a7fc9b9b\r\n07f1b2d8b34ce31296f6f5fe336ebae90293119e\r\n15e18ac163275bdcf8e391a90127db5206ab4fdd\r\na5224bf9444736970dc357da3b309ad089aa7912\r\n257bb82955818c1b3e2fc9581475c3d71df489e6\r\nfde11af0c9ede7ad1f2b4e8bd6d55c1ef90eff72\r\n01a91eb4cf0a8cfd048d98d3006e7b39a3d61f81\r\nCommand and control infrastructure\r\nHornbill\r\npieupdate[.]online\r\nchatk.goldenbirdcoin[.]com\r\ncucuchat[.]com\r\n184.154.203[.]90\r\n69.175.35[.]98\r\nsamaatv[.]online\r\ntea-time[.]link\r\nSunBird\r\nhttps://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict\r\nPage 14 of 15\n\ndata10.000webhostapp[.]com\r\nglobal134.000webhostapp[.]com\r\nwixten.000webhostapp[.]com\r\nsunshinereal.000webhostapp[.]com\r\n23.82.19[.]250\r\nSource: https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict\r\nhttps://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.lookout.com/blog/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict" ], "report_names": [ "lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict" ], "threat_actors": [ { "id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4", "created_at": "2025-08-07T02:03:25.123407Z", "updated_at": "2026-04-10T02:00:03.668131Z", "deleted_at": null, "main_name": "ZINC EMERSON", "aliases": [ "Confucius ", "Dropping Elephant ", "EHDevel ", "Manul ", "Monsoon ", "Operation Hangover ", "Patchwork ", "TG-4410 ", "Viceroy Tiger " ], "source_name": "Secureworks:ZINC EMERSON", "tools": [ "Enlighten Infostealer", "Hanove", "Mac OS X KitM Spyware", "Proyecto2", "YTY Backdoor" ], "source_id": "Secureworks", "reports": null }, { "id": "7a8dbc5e-51a8-437a-8540-7dcb1cc110b8", "created_at": "2022-10-25T16:07:23.482856Z", "updated_at": "2026-04-10T02:00:04.627414Z", "deleted_at": null, "main_name": "Confucius", "aliases": [ "G0142" ], "source_name": "ETDA:Confucius", "tools": [ "ApacheStealer", "ByeByeShell", "ChatSpy", "Confucius", "MY24", "Sneepy", "remote-access-c3", "sctrls", "sip_telephone", "swissknife2" ], "source_id": "ETDA", "reports": null }, { "id": "75108fc1-7f6a-450e-b024-10284f3f62bb", "created_at": "2024-11-01T02:00:52.756877Z", "updated_at": "2026-04-10T02:00:05.273746Z", "deleted_at": null, "main_name": "Play", "aliases": null, "source_name": "MITRE:Play", "tools": [ "Nltest", "AdFind", "PsExec", "Wevtutil", "Cobalt Strike", "Playcrypt", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "70e88fa9-d833-4d8c-be5b-cc39bcdb499a", "created_at": "2023-01-06T13:46:38.796488Z", "updated_at": "2026-04-10T02:00:03.103974Z", "deleted_at": null, "main_name": "Stealth Mango and Tangelo", "aliases": [], "source_name": "MISPGALAXY:Stealth Mango and Tangelo", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "caf95a6f-2705-4293-9ee1-6b7ed9d9eb4c", "created_at": "2022-10-25T15:50:23.472432Z", "updated_at": "2026-04-10T02:00:05.352882Z", "deleted_at": null, "main_name": "Confucius", "aliases": [ "Confucius", "Confucius APT" ], "source_name": "MITRE:Confucius", "tools": [ "WarzoneRAT" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434405, "ts_updated_at": 1775792018, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c2273eba6ef71613e99154a831f18fca5f7b5326.pdf", "text": "https://archive.orkl.eu/c2273eba6ef71613e99154a831f18fca5f7b5326.txt", "img": "https://archive.orkl.eu/c2273eba6ef71613e99154a831f18fca5f7b5326.jpg" } }