Confucius is a threat actor attributed to IN, also known as G0142, Confucius APT. This group is tracked in the Strobes VI threat intelligence database.

What vulnerabilities does Confucius exploit?

Confucius is known to exploit 4 CVEs. View the full list on the Strobes VI threat actor profile page.

Agentic AI · Pentesting

Ready for Agentic Automated Testing?

Deploy autonomous AI agents that reason, exploit, and validate complex vulnerability chains — not another scanner, an agentic system that thinks like a senior pentester.

Zero false positives

PoC for every finding

30+ tools orchestrated

Book a Demo Learn More

Setup in 5 minutesSOC 2 & ISO 27001

Confucius

Also known as: G0142, Confucius APT

INInformation theft and espionage

Exploited CVEs

Overview

Confucius’ campaigns were reportedly active as early as 2013, abusing Yahoo! And Quora forums as part of their command-and-control (C&C) communications. We stumbled upon Confucius, likely from South Asia, while delving into Patchwork’s cyberespionage operations. Confucius’ operations include deploying bespoke backdoors and stealing files from their victim’s systems with tailored file stealers. The stolen files are then exfiltrated by abusing a cloud service provider. Some of these file stealers specifically target files from USB devices, probably to overcome air-gapped environments. This group seems to be associated with Patchwork, Dropping Elephant .

Exploited Vulnerabilities

CVE ID	Action
CVE-2015-1641