Clankerusecase
Threat-actor profile
 ← Back to main site
Home/ Threat Actors/ Confucius

🌐Confucius

🌐 Confucius is a tracked threat actor in the Clankerusecase corpus. ??-aligned. Primary motivation: State. We map 14 detection use cases to this actor across 19 MITRE ATT&CK techniques, with 0 threat-intel articles citing them.

View full actor card → All threat actors MITRE ATT&CK group spec (G0142) ↗
14Use cases
0Articles
19Techniques
0IOCs

About this actor (MITRE)

[Confucius](https://attack.mitre.org/groups/G0142) is a cyber espionage group that has primarily targeted military personnel, high-profile personalities, business persons, and government organizations in South Asia since at least 2013. Security researchers have noted similarities between [Confucius](https://attack.mitre.org/groups/G0142) and [Patchwork](https://attack.mitre.org/groups/G0040), particularly in their respective custom malware code and targets.(Citation: TrendMicro Confucius APT Feb 2018)(Citation: TrendMicro Confucius APT Aug 2021)(Citation: Uptycs Confucius APT Jan 2021)

Known aliases

ConfuciusConfucius APT

Top techniques

T1041 · Exfiltration Over C2 ChannelT1053.005 · Scheduled TaskT1059.001 · PowerShell

All other tracked techniques

T1059.005 · Visual BasicT1071.001 · Web ProtocolsT1083 · File and Directory DiscoveryT1105 · Ingress Tool TransferT1119 · Automated CollectionT1203 · Exploitation for Client ExecutionT1204.001 · Malicious LinkT1204.002 · Malicious FileT1218.005 · MshtaT1221 · Template InjectionT1547.001 · Registry Run Keys / Startup FolderT1566.001 · Spearphishing AttachmentT1566.002 · Spearphishing LinkT1567.002 · Exfiltration to Cloud StorageT1583.006 · Web ServicesT1680 · Local Storage Discovery

Detection use cases (14)

Confucius lure-doc chain: Office template injection / Equation Editor spawning mshta.exe or PowerShell to fetch remote payload AI · profile SΣ Confucius staged exfil: archive of user docs followed by HTTPS upload to public cloud storage by non-browser process AI · profile S Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes MITRE match Cross-category credential-store enumeration with rapid egress to anonymizing tunnel/CDN MITRE match Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) MITRE match Developer package install spawning script-host with non-registry C2 within 5 minutes MITRE match Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) MITRE match Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution MITRE match Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress MITRE match Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes MITRE match OAuth Device-Code Consent Phish to Cross-IP Cloud Token Replay MITRE match Package Manager / Dev-Tool Auto-Execution Triggers Non-Registry Egress or Credential-Store Access MITRE match Package Manager Install Spawning Outbound Egress to Non-Registry Infrastructure Within 5 Minutes MITRE match Package manager lifecycle hook spawns network-fetching shell or runtime MITRE match