{ "id": "fe243f45-3b83-462e-a463-ae4f7abacd86", "created_at": "2026-04-06T00:22:02.184835Z", "updated_at": "2026-04-10T13:11:36.261303Z", "deleted_at": null, "sha1_hash": "eed0eaf3a568cf19e8ad3954ddea66a034e0b408", "title": "Confucius Says...Malware Families Get Further By Abusing Legitimate Websites", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1548176, "plain_text": "Confucius Says...Malware Families Get Further By Abusing\r\nLegitimate Websites\r\nBy Tom Lancaster, Micah Yates\r\nPublished: 2016-09-28 · Archived: 2026-04-05 20:41:46 UTC\r\nIntroduction\r\nWhen malware wants to communicate home, most use domain names, allowing them to resolve host names to IP\r\naddresses of their servers. In order to increase the likelihood of their malware successfully communicating home,\r\ncyber espionage threat actors are increasingly abusing legitimate web services, in lieu of DNS lookups to retrieve\r\na command and control address. This negates the requirement to make DNS requests for domains that may be\r\nconsidered malicious and are therefore blocked. For attackers, that's an advantage because it allows their initial\r\ncommunications channel to be obscured amongst other traffic to legitimate services.\r\nThis blog post examines two similar malware families that utilize the aforementioned technique to abuse\r\nlegitimate websites, their connections to each other, and their connections to known espionage campaigns. The\r\nfirst of which we call ‘CONFUCIUS_A’, a malware family that has links to a series of attacks associated with a\r\nbackdoor attack method commonly known as SNEEPY (aka ByeByeShell) first reported by Rapid7 in 2013. The\r\nsecond of which we call ‘CONFUCIUS_B’, which has a loose link to the series of attacks associated with\r\nOperation Patchwork and The Hangover Report.\r\nConfucius says… resolve your command and control domains using web services.\r\nIn 2013, Rapid7 reported on a series of relatively amateur attacks against Pakistani targets. For a long time after\r\nthe report was published, little changed in how the attackers operated. Although many of the attacks we see today\r\nfrom the group remain the same, we began observing a new backdoor, CONFUCIUS_A, being dropped by the\r\nattackers starting in early 2014. Specifically, the command and control addresses used across multiple SNEEPY\r\nsamples were being used by CONFUCIUS_A samples. In the case of just one or two samples, without temporal\r\noverlap, this may not be deemed a strong link to CONFUCIUS_A, however it occurs across a great deal of the\r\ninfrastructure we have observed.\r\nIn most cases where we have been able to identify the droppers, the attack begins with an executable file being\r\nsent directly to targets via e-mail. Occasionally the attackers leverage builders for known document exploits, but\r\nmost of the time they still use self-extracting binaries. The themes of the phishing e-mails vary according to the\r\ntarget, but invariably the file is compiled with an icon that matches the expected content. Examples of the themes\r\nused in attacks using CONFUCIUS_A and the surrounding cluster of activity include:\r\nInvitations to events relevant to the recipients\r\nPornographic material\r\nFake updates to popular software products\r\nNews content\r\nhttps://unit42.paloaltonetworks.com/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/\r\nPage 1 of 15\n\nPolitical content\r\nWe have limited evidence of who the targets are, but they appear to primarily be based in the Middle East and\r\nparts of Asia, with a focus on Pakistan. In addition to those targets, there are occasional targets seen at enterprises\r\nacross the globe.\r\nEarly samples of the CONFUCIUS_A malware did not use any legitimate web services for DNS resolution;\r\nhowever, more recent samples of the CONFUCIUS_A malware use a range of legitimate web services to resolve\r\ncommand and control addresses, the highest profile of which are Yahoo and Quora. The malware was given its\r\nname based on the content of one of the first pages we saw being retrieved to determine a command and control\r\naddress, which is written in the style of a ‘Confucius says’ joke. See Figure 1.\r\nFigure 1 – An example of Quora page contacted by the malware.\r\nSometimes malware communicates with legitimate web services simply to perform a connectivity check, but in\r\nthis case the page was too specific to suggest that was what the attackers were doing. So we decided to investigate\r\nhow the malware processed the resulting content.\r\nIf this is the question, what is the answer?\r\nFor the purposes of illustrating how the command and control address is decoded we will look at the sample with\r\nSHA256: a21b956e1be9dcfa8a28c38dc0bb0657508b5588bcf1435052700aea22910d7d. This sample of the\r\nmalware requests the page shown below in order to determine what IP to POST to.\r\nhttps://unit42.paloaltonetworks.com/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/\r\nPage 2 of 15\n\nFigure 2 – The Quora page contacted by the malware to retrieve its command and control address.\r\nReading through the answer, it all makes sense until the section highlighted is reached. By looking at the\r\nunderlying code, we found that CONFUCIUS_A is looking for keywords between the phrases “suggested options\r\nare” and “hope it will help” and decoding the interim phrase. The decoding is done using a simple lookup table, as\r\nshown in Figure 3.\r\nFigure 3 – A memory dump from a CONFUCIUS_A sample showing the lookup table used by the malware, the\r\ntable is truncated for presentation purposes.\r\nhttps://unit42.paloaltonetworks.com/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/\r\nPage 3 of 15\n\nThe lookup table begins with the marker for the beginning and end of the useful content, and then contains 255\r\nwords, each of which corresponds to a number (for example prudent == 255). Using this lookup table in memory\r\nit can then derive the command and control address from the text between the markers, “fill plate clever road”\r\nbecomes 91.210.107[.]104.\r\nFigure 4 – HTTP POST request made to command and control server\r\nAdditional malware contacting Yahoo and Quora\r\nDuring our investigation into the CONFUCIUS_A malware, one of the ways we tried to identify variations of the\r\nbackdoor was by looking for samples that communicated with the same legitimate services as known\r\nCONFUCIUS_A samples. In doing so, we encountered another set of samples exhibiting very similar behavior,\r\nwhich we refer to as CONFUCIUS_B, due to their similarity, and their likely similar origins. Unfortunately, we\r\nhave fewer details about how CONFUCIUS_B malware is delivered or the targets it intends to hit.\r\nFor the purposes of this write-up we will follow the chain of dropped files from the dropper with SHA256:\r\n627724fa447e3937f3cdc5388285935a52d6970a616f4ac3d02e583d160cbfc0.\r\nEnter CONFUCIUS_B…\r\nAt first glance CONFUCIUS_B looks very similar to CONFUCIUS_A, and they are also packaged in plain SFX\r\nbinary files. The CONFUCIUS_B executable is disguised as a PowerPoint presentation, using a Right-To-Left-Override (RTLO) trick and a false icon. When executed, the self-extracting RAR package drops four files to the\r\n%AppData% folder, as shown in Figure 5.\r\nFigure 5 – The files dropped by CONFUCIUS_B\r\nFancy.vbs executes fancy.bat, which in turn opens the presentation and runs the second stage executable\r\nsvchost.exe. As with CONFUCIUS_A, the initial beacons from this svchost.exe are also to Yahoo and Quora, but\r\nthe pages contacted, whilst odd did not contain any obvious markers, rather they appeared to be entirely gibberish:\r\nhttps://unit42.paloaltonetworks.com/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/\r\nPage 4 of 15\n\nFigure 6 – An exemplary Quora page contacted by the malware.\r\nSo far, the execution chain, involving an SFX RAR and multiple scripts is similar to some samples of SNEEPY,\r\nwhich we associate with CONFUCIUS_A, but this is where the similarities between CONFUCIUS_A and\r\nCONFUCIUS_B begin to diverge. Svchost.exe has a custom obfuscation scheme not seen in CONFUCIUS_A.\r\nThis obfuscation allows us to quickly identify all of the CONFUCIUS_B variants; their hashes are included at the\r\nend of this post. The obfuscation routine is given in Figure 7.\r\nhttps://unit42.paloaltonetworks.com/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/\r\nPage 5 of 15\n\nhttps://unit42.paloaltonetworks.com/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/\r\nPage 6 of 15\n\nFigure 7 – The obfuscation routine shared across all CONFUCIUS_B samples.\r\nUnderneath that custom obfuscation lies a UPX packed executable which contains the Yahoo and Quora\r\nfunctionality that originally piqued our interest. After unpacking the UPX code, we began reverse engineering the\r\nresulting binary to see how CONFUCIUS_B interacted with the Yahoo and Quora pages it initially requested. We\r\ndiscovered that CONFUCIUS_B pieces together its DNS resolution from keywords in the Yahoo and Quora posts\r\nsimilar to that of CONFUCIUS_A.\r\nCONFUCIUS_B takes certain keywords in the Quora and Yahoo pages and applies them to a lookup table in\r\nmemory. Using that lookup table an IP address to POST to is derived. The way this is done can be seen in a\r\nmemory dump from the running process when it contacts a relevant address, for example as shown in Figure 8.\r\nFigure 8 – A memory dump of a CONFUCIUS_B illustrating the lookup table and initial beacon address.\r\nThe lookup table takes key words and assigns them numbers, or a ‘.’ character, in order to build an IP address, and\r\nis arranged as shown in Table 1.\r\nlove 0\r\nhate 1\r\nfire 2\r\ncouple 3\r\ngreen 4\r\nweed 5\r\nblock 6\r\nhttps://unit42.paloaltonetworks.com/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/\r\nPage 7 of 15\n\nparty 7\r\nnatural 8\r\nhopeful 9\r\nor .\r\nTable 1 – Lookup table used by the malware to determine it’s command and control address.\r\nBy applying the lookup table to the Quora page shown in Figure 6, we can derive the IP the malware will POST to\r\nnext for further communications.\r\nUsing our lookup table, giving us an address of 149.202.110[.]2:\r\nThis method of substituting words for components of an IP address, and the repeat use of Yahoo and Quora are\r\nnovel, which suggest it is likely that the same malware author, or group of malware authors, authored both\r\nbackdoors.\r\nLink to Patchwork and test samples\r\nThe domain “com-account-jfnjkr[.]xyz” is linked to the CONFUCIUS_B attacks as it was a C2 for the sample\r\nc975954fbb473ed8ce3a98ca2c4977bf22d2413db01eda87599524969565836f, which downloads CONFUCIUS_B.\r\nOn May 24, 2016, the same domain hosted the sample\r\n8cfd559756630d967bb597b087af98adc75895a1ec52586d53a2d898e4a6e9b0; a basic file stealer malware\r\nassociated with the Patchwork attackers, via a shared mutex: {9754893678976458374658764387563876}.\r\nAll of the CONFUCIUS_B samples share the same mutex, “rCkBs1Uj493NaMXYY1LZ”. Pivoting through\r\nsamples in Palo Alto Networks AutoFocus, we were able to find what appears to be an early test sample of the\r\nmalware that creates the same mutex; the SHA256 of the sample is\r\n0bd7db12ba8d9ce9d29983ef76205864dce146eb14cebe32a3431f994cc770ee. We believe it is a test sample, as the\r\nconfigured command and control domain for this sample is ‘breachframework[.]com’. This can also be linked\r\nback to known CONFUCIUS_B sample via a shared SSL certificate. Breachframework[.]com previously resolved\r\nto 5.135.85[.]16, which used the certificate f6438919d27d08aa545e2f90b58d445cccac6c09, the same certificate\r\nwas used by 104.23.35[.]15, a known command and control address for CONFUCIUS_B. These relationships are\r\nsummarized in Figure 9.\r\nhttps://unit42.paloaltonetworks.com/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/\r\nPage 8 of 15\n\nFigure 9 – An overview of the link to the test infrastructure.\r\nConclusion\r\nIn this blog post, we discussed two separate malware variations that behave in very similar ways and use similar\r\ntechniques to acquire a C2 address, with both using Yahoo Answers and Quora to evade traditional mechanisms\r\nfor blocking command and control domains. Although we cannot link the two clusters of activity by their\r\ninfrastructure, the technique used to resolve domains is unusual. We also believe that both clusters of activity have\r\nlinks to attacks with likely Indian origins, the CONFUCIUS_A attacks are linked to the use of\r\nSNEEPY/BYEBYESHELL and the CONFUCIUS_B have a loose link to Hangover. The two malware families\r\nthemselves are also very similar, and therefore we think that the shared technique is an indication of a single\r\ndeveloper, or development company, behind both CONFUCIUS_A and CONFUCIUS_B. It is likely that the two\r\nclusters of activity are operated by two different operators; however, as the command and control infrastructure\r\nused by each cluster differs in the choices of hosting providers.\r\nPalo Alto Networks AutoFocus customers can further explore these malware families and related campaigns with\r\nthe tags:\r\nConfucious_A\r\nConfucious_B\r\nApacheStealer\r\nSneepy\r\nAll samples discussed in the blog and those in the appendix are detected as malicious by Wildfire.\r\nIPS customers are protected by IPS signature 14150.\r\nExemplary hashes, command and control domains and resolver URL’s are given below.\r\nhttps://unit42.paloaltonetworks.com/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/\r\nPage 9 of 15\n\nSHA256 List:\r\n8cfd559756630d967bb597b087af98adc75895a1ec52586d53a2d898e4a6e9b0 APACHESTEALER\r\nfb9064abd562012f7c4ffec335f1b669d7ffa0ce724b81f83840474e544c0113 DEMO_CONFUCIUS_B\r\n0bd7db12ba8d9ce9d29983ef76205864dce146eb14cebe32a3431f994cc770ee DEMO_CONFUCIUS_B\r\nec15a7698eed7a925b0c074239a92b9f3efdd1054ea281fa914c0bf63d73d319 CONFUCIUS_A\r\n09fcb9444b415781d1d01d0b43c37df441a381042a3f2f91f04890b9c4632c5e CONFUCIUS_A\r\n487d43f38006a609715f95d2e8dd605446de820cafcc453d57a452bc67972a7a CONFUCIUS_A\r\na21b956e1be9dcfa8a28c38dc0bb0657508b5588bcf1435052700aea22910d7d CONFUCIUS_A\r\n7b9454ac9c96db562c2b961a72aa1fece896cd1633a1ec3139eb75346a086f64 CONFUCIUS_B\r\nd0176a1d30827a42dda4f575ede0d2d8ad0f71306e41f67b1d1fe999f0e82838 CONFUCIUS_B\r\ndd34f8236b314ce5123fc036c7ae1d0b4ef6da3ae781d639bcc1d5a30b197b2c CONFUCIUS_B\r\nc975954fbb473ed8ce3a98ca2c4977bf22d2413db01eda87599524969565836f CONFUCIUS_B\r\n6115b1a37cf58d39010fd19bcf83f73e4eae943d95fcb29f8078c6d0e5c37a56 CONFUCIUS_B\r\n700296a05cbe947e24e04f976db596c2471681e69740593fb5d02e4adbd983be CONFUCIUS_B\r\nc66660142d9ba85bb89c8277447f3c21d0a7d1ee12fd38cd61091ed02ffba80e CONFUCIUS_B\r\n627724fa447e3937f3cdc5388285935a52d6970a616f4ac3d02e583d160cbfc0 CONFUCIUS_B\r\n248010893646d292254efb4c575b1bfd58d8b75deee38af8616e9e83b695833a CONFUCIUS_A (early)\r\n28fd73965f766ab400b655b2c3ffb7c2949112c3c3d9cf05639a382c84828f12 CONFUCIUS_A (early)\r\n2f3005a06cf6819690da987414e7db797ad1955861be6f3a8a89e689602fd022 CONFUCIUS_A (early)\r\n4462454586b2969821e4b97d0d4387624cd9854ffc9e16750b5771990a707af8 CONFUCIUS_A (early)\r\n50f0bf106781452d20f12a33df04e1ebc2d805c9721df83169af3cf394198434 CONFUCIUS_A (early)\r\n86f9a01dca754ff0e2c1108dba2cebaab4483b122be1e312f0b24643b1523b49 CONFUCIUS_A (early)\r\n9e90f9acb9752e2dc7faa28b7d07330bae69431a1055697420b165521f6768e3 CONFUCIUS_A (early)\r\ne93dd106f5c031e773f6f490a6df6ef165a0782072c98702a741433b62375829 CONFUCIUS_A (early)\r\n51a3758eaf22a893c1771aa70e78e22b775243424abce755dd48cc83879ddd94 CONFUCIUS_A (early)\r\n1220815b09694b522a33a4feacfc20ca90e03728c9f5e2bd4288e67e2e1257de SNEEPY\r\nhttps://unit42.paloaltonetworks.com/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/\r\nPage 10 of 15\n\n1b682fa08d99b1f57e545cab2e0cd553282682f7706a72afe5ee63264002e010 SNEEPY\r\n63e0cf48e461ea6e2663fcbb5727e02b39641c86c2860e979a353b3e997eb8d7 SNEEPY\r\n7ec2de26d9564f60bb079fbf66e7ce7ff9fe5331937137e3b836023fde7ac1b1 SNEEPY\r\n83718971c1cc94ff4cd7b430e57d3d5b61d1032028c23aee56b7148bb6f176c2 SNEEPY\r\na50808054fcf359eea0f684b9f84a4ac12e2bf1467a4c33446f7445a4b3bafaa SNEEPY\r\n0082b8b2b7ac562db544fd81b26229fd2a6a6c04a9c86123cbd89a285eeb2594 SNEEPY\r\n3181065099986c2bb8b3f58f04f2c59e5bd5887dc46f6e7c9a62ba7d2ca23758 SNEEPY\r\n7699584f996a7e09ce26437113199531db71d01b22711246246da55abbda5410 SNEEPY\r\n815ba75ac821b7c656c9c9bc0e663f9570f71bf247e374d60f9142fcc380efad SNEEPY\r\n346c08fc3439a0619903ca25ed0b951e07096701eeb094bdab3770611328873e SNEEPY\r\n9c5d8b74fd35755570b478737e1298702535d9baf06f69d9954f265c30dcdab6 SNEEPY\r\nb19cd6ddbb41d9b689eeff1262bd7cd6b9361d95afb79cd6e77f39c5d3581728 SNEEPY\r\nd718ea92106894c1bfb2273ed7e71c9ad7cec01fa0ae4c2571e5a762e1f26e8d SNEEPY\r\nd9c4994aed6f4bab5f2bb65fb2cc5f455ee99848d8f49e22b8b1c5ef13f3e78f SNEEPY\r\nResolver URL list:\r\nhttps://www.quora.com/Is-bingle-hate-and-love-the-green-or-it-fire-couple-fire-tell-me-you-like-or-couple-weed-or-hate-weed-with-deedy-love-claggy-1\r\nhttps://answers.yahoo.com/question/index?qid=20160301074835AA7cF60\u0026sort=N\r\nhxxps://in.answers.yahoo.com/question/index?qid=20160229024628AA4XQ7r\r\nhxxp://www.nefuri.com/hi_is_bingle_hate_and_love_the_green_or_it_fire_couple_fire_tell\r\n_me_you_like_or_couple_weed_or_hate_weed_with_deedy_block_claggy_1562153.html\r\nhxxp://www.answerlib.org/qv/20160229115557AAXc2Ib.html\r\nhxxps://in.answers.yahoo.com/question/index?qid=20160229115557AAXc2Ib\r\nhxxps://www.question.com/what-are-the-precautions-for-diphtheria-tetanus-998506.html\r\nhxxp://findnerd.com/list/view/How-to-make-a-simple-settings-page-in-android/15891/\r\nhxxp://able2know.org/topic/312620-1\r\nhxxp://bs71.blog.com/2016/03/01/performing-namaz/\r\nhxxp://www.linkibl.com/l/define-simple-support-boundary-condition-of-a-beam-solid-mechanics\r\nhxxp://www.education.com/question/working-model-depict-buoyancy/\r\nhxxp://www.quora.com/Where-can-I-find-Port-de-Vaire\r\nhxxp://www.fixya.com/support/t25556697-intel_desktop_board_dh67cl_having_vga\r\nhxxp://www.education.com/question/scientist-calculate-distance-planets\r\nhttps://unit42.paloaltonetworks.com/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/\r\nPage 11 of 15\n\nhxxp://technology.blurtit.com/4492774/import-mri-ct-and-microct-data\r\nhxxp://bs71.blog.com/2016/03/01/performing-namaz/\r\nhxxp://www.linkibl.com/l/define-simple-support-boundary-condition-of-a-beam-solid-mechanics\r\nhxxps://www.quora.com/Is-bingle-hate-and-love-the-green-or-it-fire-couple-fire-tell-me-you-like-or-couple-weed-or-hate-weed-with-deedy-love-claggy-1\r\nhxxps://www.quora.com/How-fertilization-takes-place-in-Plants\r\nC2 Addresses:\r\nadhath-learning[.]com\r\nstepontheroof[.]com\r\nns1[.]b3autybab3s[.]com\r\nstilletowheels[.]com\r\nb3autybab3s[.]com\r\nfierybarrels[.]com\r\nmail[.]cooperednews[.]info\r\nns2[.]cooperednews[.]info\r\nteensechs[.]com\r\nnewstodayreviews[.]com\r\nns2[.]softwares-free[.]com\r\nwww[.]fierybarrels[.]com\r\nns1[.]cooperednews[.]info\r\nznaniye-onlayn[.]com\r\ncooperednews[.]info\r\nnophoz[.]com\r\ntwigreader[.]com\r\nzadnitsa[.]com\r\nbookerstream[.]com\r\nteens3xweb[.]com\r\nromanrugby[.]com\r\n130dozen[.]com\r\ntransseksualov[.]com\r\ncutedazzle[.]com\r\nspeedeagles[.]com\r\nwww[.]templetom[.]com\r\ngallopingroses[.]com\r\ndidlynews[.]info\r\nns2[.]didlynews[.]info\r\nns1[.]didlynews[.]info\r\npurple-banana[.]com\r\nuchitel-nitsa[.]com\r\ncouchypotatoes[.]com\r\nhttps://unit42.paloaltonetworks.com/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/\r\nPage 12 of 15\n\nyour3x[.]com\r\ntrk[.]greatleonidas[.]com\r\ngreatleonidas[.]com\r\nchucknorr[.]com\r\ntangyball[.]com\r\ntempletom[.]com\r\nyounghogs[.]com\r\nwww[.]cutedazzle[.]com\r\nneistovo[.]com\r\nroseauster[.]com\r\nwww[.]gallopingroses[.]com\r\nonepickle[.]com\r\nwond3rfulworld[.]com\r\nns2[.]b3autybab3s[.]com\r\nsoftwares-free[.]com\r\nwww[.]romanrugby[.]com\r\ngomadweb[.]com\r\nwetcottonballs[.]com\r\nns1[.]softwares-free[.]com\r\nsechshun8[.]com\r\nnewsscrapper[.]com\r\njobs[.]undp[.]tangyball[.]com\r\nnews-letters-4u[.]com\r\nmagzinehog[.]com\r\njupanto[.]com\r\nwww[.]tumblebin[.]com\r\nlittle-nuts[.]com\r\nfullhalfempty[.]com\r\nmysugarbin[.]com\r\nftp[.]wond3rfulworld[.]com\r\nblog[.]younghogs[.]com\r\nww2[.]younghogs[.]com\r\nwww[.]younghogs[.]com\r\nww1[.]younghogs[.]com\r\nmx2[.]newstodayreviews[.]com\r\nmx1[.]newstodayreviews[.]com\r\nmx3[.]newstodayreviews[.]com\r\nwww[.]onepickle[.]com\r\nquicktime[.]softwares-free[.]com\r\ntumblebin[.]com\r\nns1[.]bidux[.]com[.]avtofrom[.]us\r\nwww[.]nophoz[.]com\r\nhttps://unit42.paloaltonetworks.com/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/\r\nPage 13 of 15\n\nbreachframework[.]website\r\nbreachframework[.]com\r\ncom-account-jfnjkr[.]xyz\r\n104[.]219[.]250[.]204\r\n216[.]189[.]148[.]125\r\n149[.]202[.]110[.]2\r\n104[.]219[.]250[.]205\r\n5[.]135[.]85[.]16\r\n78[.]128[.]92[.]101\r\n206[.]221[.]188[.]98\r\n104[.]232[.]35[.]15\r\n5[.]39[.]23[.]192\r\n95[.]211[.]135[.]167\r\n46[.]165[.]207[.]109\r\n95[.]211[.]38[.]134\r\n46[.]165[.]249[.]223\r\n95[.]211[.]135[.]162\r\n46[.]165[.]207[.]140\r\n46[.]165[.]207[.]120\r\n95[.]211[.]107[.]75\r\n94[.]242[.]219[.]203\r\n95[.]211[.]38[.]133\r\n46[.]165[.]207[.]112\r\n95[.]211[.]3[.]135\r\n91[.]210[.]107[.]107\r\n46[.]165[.]207[.]114\r\n91[.]210[.]107[.]108\r\n95[.]211[.]205[.]142\r\n95[.]211[.]107[.]71\r\n46[.]165[.]207[.]116\r\n95[.]211[.]135[.]168\r\n46[.]165[.]207[.]134\r\n46[.]165[.]207[.]98\r\n46[.]165[.]207[.]113\r\n46[.]165[.]207[.]138\r\n94[.]242[.]219[.]199\r\n46[.]165[.]207[.]142\r\n46[.]165[.]207[.]99\r\n95[.]211[.]107[.]72\r\n95[.]211[.]38[.]135\r\n46[.]165[.]207[.]132\r\n46[.]165[.]207[.]108\r\nhttps://unit42.paloaltonetworks.com/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/\r\nPage 14 of 15\n\nSource: https://unit42.paloaltonetworks.com/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/\r\nhttps://unit42.paloaltonetworks.com/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://unit42.paloaltonetworks.com/unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites/" ], "report_names": [ "unit42-confucius-says-malware-families-get-further-by-abusing-legitimate-websites" ], "threat_actors": [ { "id": "bbf66d2d-3d20-4026-a2b5-56b31eb65de4", "created_at": "2025-08-07T02:03:25.123407Z", "updated_at": "2026-04-10T02:00:03.668131Z", "deleted_at": null, "main_name": "ZINC EMERSON", "aliases": [ "Confucius ", "Dropping Elephant ", "EHDevel ", "Manul ", "Monsoon ", "Operation Hangover ", "Patchwork ", "TG-4410 ", "Viceroy Tiger " ], "source_name": "Secureworks:ZINC EMERSON", "tools": [ "Enlighten Infostealer", "Hanove", "Mac OS X KitM Spyware", "Proyecto2", "YTY Backdoor" ], "source_id": "Secureworks", "reports": null }, { "id": "7a8dbc5e-51a8-437a-8540-7dcb1cc110b8", "created_at": "2022-10-25T16:07:23.482856Z", "updated_at": "2026-04-10T02:00:04.627414Z", "deleted_at": null, "main_name": "Confucius", "aliases": [ "G0142" ], "source_name": "ETDA:Confucius", "tools": [ "ApacheStealer", "ByeByeShell", "ChatSpy", "Confucius", "MY24", "Sneepy", "remote-access-c3", "sctrls", "sip_telephone", "swissknife2" ], "source_id": "ETDA", "reports": null }, { "id": "7ea1e0de-53b9-4059-802f-485884180701", "created_at": "2022-10-25T16:07:24.04846Z", "updated_at": "2026-04-10T02:00:04.84985Z", "deleted_at": null, "main_name": "Patchwork", "aliases": [ "APT-C-09", "ATK 11", "Capricorn Organisation", "Chinastrats", "Dropping Elephant", "G0040", "Maha Grass", "Quilted Tiger", "TG-4410", "Thirsty Gemini", "Zinc Emerson" ], "source_name": "ETDA:Patchwork", "tools": [ "AndroRAT", "Artra Downloader", "ArtraDownloader", "AutoIt backdoor", "BADNEWS", "BIRDDOG", "Bahamut", "Bozok", "Bozok RAT", "Brute Ratel", "Brute Ratel C4", "CinaRAT", "Crypta", "ForeIT", "JakyllHyde", "Loki", "Loki.Rat", "LokiBot", "LokiPWS", "NDiskMonitor", "Nadrac", "PGoShell", "PowerSploit", "PubFantacy", "Quasar RAT", "QuasarRAT", "Ragnatela", "Ragnatela RAT", "SocksBot", "TINYTYPHON", "Unknown Logger", "WSCSPL", "Yggdrasil" ], "source_id": "ETDA", "reports": null }, { "id": "c81067e0-9dcb-4e3f-abb0-80126519c5b6", "created_at": "2022-10-25T15:50:23.285448Z", "updated_at": "2026-04-10T02:00:05.282202Z", "deleted_at": null, "main_name": "Patchwork", "aliases": [ "Hangover Group", "Dropping Elephant", "Chinastrats", "Operation Hangover" ], "source_name": "MITRE:Patchwork", "tools": [ "NDiskMonitor", "QuasarRAT", "BackConfig", "TINYTYPHON", "AutoIt backdoor", "PowerSploit", "BADNEWS", "Unknown Logger" ], "source_id": "MITRE", "reports": null }, { "id": "053574fc-5d11-4a41-9741-057e111c7a39", "created_at": "2023-11-08T02:00:07.157454Z", "updated_at": "2026-04-10T02:00:03.429471Z", "deleted_at": null, "main_name": "Confucious", "aliases": [], "source_name": "MISPGALAXY:Confucious", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "caf95a6f-2705-4293-9ee1-6b7ed9d9eb4c", "created_at": "2022-10-25T15:50:23.472432Z", "updated_at": "2026-04-10T02:00:05.352882Z", "deleted_at": null, "main_name": "Confucius", "aliases": [ "Confucius", "Confucius APT" ], "source_name": "MITRE:Confucius", "tools": [ "WarzoneRAT" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434922, "ts_updated_at": 1775826696, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/eed0eaf3a568cf19e8ad3954ddea66a034e0b408.pdf", "text": "https://archive.orkl.eu/eed0eaf3a568cf19e8ad3954ddea66a034e0b408.txt", "img": "https://archive.orkl.eu/eed0eaf3a568cf19e8ad3954ddea66a034e0b408.jpg" } }