Threat Actor Profile
High APT
Description

Confucius is a cyber espionage group that has primarily targeted military personnel, high-profile personalities, business persons, and government organizations in South Asia since at least 2013. Security researchers have noted similarities between Confucius and Patchwork, particularly in their respective custom malware code and targets.(Citation: TrendMicro Confucius APT Feb 2018)(Citation: TrendMicro Confucius APT Aug 2021)(Citation: Uptycs Confucius APT Jan 2021)

Confidence Score
90%
Known Aliases
Confucius Confucius APT
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (19)
T1119 - Automated Collection
Collection
T1071.001 - Web Protocols
Command and Control
T1105 - Ingress Tool Transfer
Command and Control
T1218.005 - Mshta
Defense Evasion
T1221 - Template Injection
Defense Evasion
T1083 - File and Directory Discovery
Discovery
T1680 - Local Storage Discovery
Discovery
T1053.005 - Scheduled Task
Execution
T1059.001 - PowerShell
Execution
T1059.005 - Visual Basic
Execution
T1203 - Exploitation for Client Execution
Execution
T1204.001 - Malicious Link
Execution
T1204.002 - Malicious File
Execution
T1041 - Exfiltration Over C2 Channel
Exfiltration
T1567.002 - Exfiltration to Cloud Storage
Exfiltration
T1566.001 - Spearphishing Attachment
Initial Access
T1566.002 - Spearphishing Link
Initial Access
T1547.001 - Registry Run Keys / Startup Folder
Persistence
T1583.006 - Web Services
Resource Development
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['Confucius', 'Confucius APT'],
 'created': '2021-12-26T23:11:39.442Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[Confucius](https://attack.mitre.org/groups/G0142) is a cyber '
                'espionage group that has primarily targeted military '
                'personnel, high-profile personalities, business persons, and '
                'government organizations in South Asia since at least 2013. '
                'Security researchers have noted similarities between '
                '[Confucius](https://attack.mitre.org/groups/G0142) and '
                '[Patchwork](https://attack.mitre.org/groups/G0040), '
                'particularly in their respective custom malware code and '
                'targets.(Citation: TrendMicro Confucius APT Feb '
                '2018)(Citation: TrendMicro Confucius APT Aug 2021)(Citation: '
                'Uptycs Confucius APT Jan 2021)',
 'external_references': [{'external_id': 'G0142',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G0142'},
                         {'description': 'Lunghi, D and Horejsi, J. (2018, '
                                         'February 13). Deciphering Confucius: '
                                         "A Look at the Group's Cyberespionage "
                                         'Operations. Retrieved December 26, '
                                         '2021.',
                          'source_name': 'TrendMicro Confucius APT Feb 2018',
                          'url': 'https://www.trendmicro.com/en_us/research/18/b/deciphering-confucius-cyberespionage-operations.html'},
                         {'description': 'Lunghi, D. (2021, August 17). '
                                         'Confucius Uses Pegasus '
                                         'Spyware-related Lures to Target '
                                         'Pakistani Military. Retrieved '
                                         'December 26, 2021.',
                          'source_name': 'TrendMicro Confucius APT Aug 2021',
                          'url': 'https://www.trendmicro.com/en_us/research/21/h/confucius-uses-pegasus-spyware-related-lures-to-target-pakistani.html'},
                         {'description': 'Uptycs Threat Research Team. (2021, '
                                         'January 12). Confucius APT deploys '
                                         'Warzone RAT. Retrieved December 17, '
                                         '2021.',
                          'source_name': 'Uptycs Confucius APT Jan 2021',
                          'url': 'https://www.uptycs.com/blog/confucius-apt-deploys-warzone-rat'}],
 'id': 'intrusion-set--6eded342-33e5-4451-b6b2-e1c62863129f',
 'modified': '2025-04-16T20:37:36.476Z',
 'name': 'Confucius',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.2.0',
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack', 'mobile-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '1.1'}
Quick Actions
Related TTPs (19)
Automated Collection
Collection
Web Protocols
Command and Control
Ingress Tool Transfer
Command and Control
Mshta
Defense Evasion
Template Injection
Defense Evasion
View All 19 TTPs
Back to Threat Actors
Dashboard Home