G0142: Confucius
Confucius is a cyber espionage group that has primarily targeted military personnel, high-profile personalities, business persons, and government organizations in South Asia since at least 2013. Security researchers have noted similarities between Confucius and Patchwork, particularly in their respective custom malware code and targets.[1][2][3]
Analyst context for executives and security teams
Confucius matters because ATT&CK describes it as a long-running cyber espionage group focused on South Asian military personnel, high-profile individuals, business persons, and government organizations. For leaders, the decision value is not the name alone; it is the pattern of targeted social engineering, client-side execution, Windows persistence, remote access tooling, Android malware relationships, and data collection/exfiltration techniques that can affect sensitive communications and continuity of trusted operations.
Executive priority
Prioritize this as a targeted-espionage readiness question: can the organization prove it can detect and investigate spearphishing attachments or links, malicious documents, PowerShell/VB/mshta execution, scheduled tasks or Run Key persistence, RAT activity, and suspicious data movement to C2 or cloud storage? This is especially relevant for organizations with South Asia exposure, government or defense adjacency, executives, or mobile-device risk. Budget and audit conversations should focus on evidence quality across email, endpoint, identity, network, cloud storage, and mobile management rather than assuming a single control will cover the behavior.
Technical view
ATT&CK does not provide a dedicated detection section for Confucius, so SOC and IR teams should validate coverage through the related software and techniques. Enterprise relationships include WarzoneRAT on Windows and techniques spanning spearphishing attachment/link, malicious file/link execution, exploitation for client execution, PowerShell, Visual Basic, mshta, template injection, scheduled tasks, Registry Run Keys/Startup Folder, file/local storage discovery, automated collection, ingress tool transfer, web-protocol C2, exfiltration over C2, exfiltration to cloud storage, and use of web services. Mobile relationships include Android malware families Hornbill and Sunbird. Detection engineering should map these behaviors into end-to-end intrusion chains rather than isolated alerts.
Likely telemetry
- Email security logs for targeted attachments, links, sender metadata, URL rewriting/click events, and attachment detonation results.
- Endpoint process, command-line, script, module, and parent-child execution telemetry for PowerShell, Visual Basic, mshta.exe, document-spawned processes, and downloaded payloads.
- Windows persistence telemetry for scheduled task creation/modification and Registry Run Key or Startup Folder changes.
- File system and discovery telemetry showing unusual enumeration of files, directories, local storage, and staged collection activity.
- Network telemetry for HTTP/S or other web-protocol command-and-control patterns, unusual outbound connections, and tool transfer activity.
Detection direction
- Build correlation around the sequence: targeted email or link exposure, user execution, script or LOLBin activity, persistence, discovery/collection, C2, and exfiltration.
- Tune detections for common false positives in PowerShell, scheduled tasks, Registry Run Keys, mshta.exe, cloud storage, and web traffic by using baselines for administrative tools, approved automation, and sanctioned storage services.
- Validate that malicious document behaviors are visible, including template injection indicators and document applications spawning interpreters, mshta, or download utilities.
- Review whether mobile telemetry exists at all; Android malware relationships create a coverage gap if the SOC only monitors traditional enterprise endpoints.
- Use the related techniques to drive threat hunts, but avoid treating the group name as proof of attribution without local forensic evidence and intelligence corroboration.
Mitigation priorities
- Start with phishing resilience: email filtering, attachment and link inspection, user reporting workflows, and rapid takedown/blocking procedures for malicious links.
- Reduce client-execution risk through timely patching of user-facing applications and hardening of document handling, scripting, and trusted Windows utilities where business-compatible.
- Strengthen endpoint controls for script execution, suspicious child processes, scheduled task creation, Run Key persistence, and unauthorized tool transfer.
- Constrain and monitor outbound web traffic and cloud storage use, with clear allowlists or governance for sanctioned services where feasible.
- Ensure sensitive roles and high-risk users have stronger identity controls, incident playbooks, and mobile-device protections, especially where Android exposure is material.
Analyst notes and limits
The strongest defender value comes from using Confucius as an intelligence-informed coverage test across social engineering, endpoint execution, persistence, collection, C2, exfiltration, and Android mobile risk. Similarities to Patchwork are noted by security researchers in the official description, but that should not be used as attribution without additional evidence.
The supplied ATT&CK group object has no official detection text, no group-level platforms or tactics, and only relationship-derived technique/software context. This take does not assert current activity, customer exposure, or guaranteed detection. Local targeting, telemetry quality, control configuration, and incident evidence are required to determine relevance.
Confucius
Confucius is a cyber espionage group that has primarily targeted military personnel, high-profile personalities, business persons, and government organizations in South Asia since at least 2013. Security researchers have noted similarities between Confucius and Patchwork, particularly in their respective custom malware code and targets.[1][2][3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | Confucius has sent malicious links to victims through email campaigns.CitationTrendMicro Confucius APT Aug 2021 |
| Enterprise | T1204.001 | Malicious Link Sub-technique | Confucius has lured victims into clicking on a malicious link sent through spearphishing.CitationTrendMicro Confucius APT Aug 2021 |
| Enterprise | T1567.002 | Exfiltration to Cloud Storage Sub-technique | Confucius has exfiltrated victim data to cloud storage service accounts.CitationTrendMicro Confucius APT Feb 2018 |
| Enterprise | T1221 | Template Injection | Confucius has used a weaponized Microsoft Word document with an embedded RTF exploit.CitationUptycs Confucius APT Jan 2021 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | Confucius has used VBScript to execute malicious code.CitationTrendMicro Confucius APT Feb 2018 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | Confucius has crafted and sent victims malicious attachments to gain initial access.CitationUptycs Confucius APT Jan 2021 |
| Enterprise | T1203 | Exploitation for Client Execution | Confucius has exploited Microsoft Office vulnerabilities, including CVE-2015-1641, CVE-2017-11882, and CVE-2018-0802.CitationUptycs Confucius APT Jan 2021CitationTrendMicro Confucius APT Feb 2018 |
| Enterprise | T1680 | Local Storage Discovery | Confucius has used a file stealer that can examine system drives, including those other than the C drive.CitationTrendMicro Confucius APT Aug 2021 |
| Enterprise | T1105 | Ingress Tool Transfer | Confucius has downloaded additional files and payloads onto a compromised host following initial access.CitationUptycs Confucius APT Jan 2021CitationTrendMicro Confucius APT Aug 2021 |
| Enterprise | T1119 | Automated Collection | Confucius has used a file stealer to steal documents and images with the following extensions: txt, pdf, png, jpg, doc, xls, xlm, odp, ods, odt, rtf, ppt, xlsx, xlsm, docx, pptx, and jpeg.CitationTrendMicro Confucius APT Aug 2021 |
| Enterprise | T1583.006 | Web Services Sub-technique | Confucius has obtained cloud storage service accounts to host stolen data.CitationTrendMicro Confucius APT Feb 2018 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Confucius has used HTTP for C2 communications.CitationUptycs Confucius APT Jan 2021 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Confucius has exfiltrated stolen files to its C2 server.CitationTrendMicro Confucius APT Aug 2021 |
| Enterprise | T1218.005 | Mshta Sub-technique | Confucius has used mshta.exe to execute malicious VBScript.CitationTrendMicro Confucius APT Feb 2018 |
| Enterprise | T1083 | File and Directory Discovery | Confucius has used a file stealer that checks the Document, Downloads, Desktop, and Picture folders for documents and images with specific extensions.CitationTrendMicro Confucius APT Aug 2021 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Confucius has dropped malicious files into the startup folder `%AppData%\Microsoft\Windows\Start Menu\Programs\Startup` on a compromised host in order to maintain persistence.CitationUptycs Confucius APT Jan 2021 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | Confucius has created scheduled tasks to maintain persistence on a compromised host.CitationTrendMicro Confucius APT Aug 2021 |
| Enterprise | T1204.002 | Malicious File Sub-technique | Confucius has lured victims to execute malicious attachments included in crafted spearphishing emails related to current topics.CitationUptycs Confucius APT Jan 2021 |
| Enterprise | T1059.001 | PowerShell Sub-technique | Confucius has used PowerShell to execute malicious files and payloads.CitationTrendMicro Confucius APT Aug 2021 |
Groups, software, and campaigns
S0670: WarzoneRAT
WarzoneRAT is a malware-as-a-service remote access tool (RAT) written in C++ that has been publicly available for purchase since at least late 2018.[1][2]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 43e06974ced0… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
TrendMicro Confucius APT Feb 2018
Lunghi, D and Horejsi, J. (2018, February 13). Deciphering Confucius: A Look at the Group's Cyberespionage Operations. Retrieved December 26, 2021.
Open source URL -
[2]
TrendMicro Confucius APT Aug 2021
Lunghi, D. (2021, August 17). Confucius Uses Pegasus Spyware-related Lures to Target Pakistani Military. Retrieved December 26, 2021.
Open source URL -
[3]
Uptycs Confucius APT Jan 2021
Uptycs Threat Research Team. (2021, January 12). Confucius APT deploys Warzone RAT. Retrieved December 17, 2021.
Open source URL -
[4]
mitre-attack G0142Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.