Menu
Browse

Cyber Threat Actor: Confucius

Aliases: 2 aliases
Actor Type Location Known Incidents
 Icon
Spy
India
1 incident
Profile

The threat actor known as Confucius (also tracked as Temp.Traveler) is an advanced persistent threat group that has been active since at least 2013 and is based in India. It primarily targets government, military, and energy sector entities in neighboring countries such as China, Pakistan, and Bangladesh. Its operations are described as being driven by political and economic profit, with the goal of stealing sensitive core data or damaging key infrastructure facilities of its victims. The group’s earliest observed intrusions date back to 2013 and have focused on stealing data from the same regional sectors.

Confucius gains initial access mainly through spear phishing emails that contain malicious documents or links to phishing websites. These emails often employ social engineering lures, such as files purporting to list Pakistani army casualties or vaccination statuses of government staff, to trick recipients into executing Trojan horse programs. Once executed, the Trojans exfiltrate data and can produce effects that extend beyond the compromised network. Technical analysis has shown that Confucius shares tools and code with other Indian APT groups, notably SideWinder and Urpage, indicating a degree of collaboration within the regional threat landscape. The group’s operators have been observed using the internal command “Confucius says” to trigger the delivery of its payloads. Representative campaigns include a June 2021 attack on Pakistani government and military institutions that used a malicious document referencing a Pakistani army casualty list, and a February 2022 operation that leveraged a file on the vaccination status of Pakistani government staff.

Pakistani authorities responded to these incidents by issuing nationwide warnings about spear phishing emails impersonating government offices and urging recipients not to disclose information via email or social media. Attribution to India is supported by the group’s observed infrastructure, language of lures, and code sharing with other Indian‑based APT actors, though no explicit state sponsorship claim is made in the source material. The activity of Confucius illustrates a persistent focus on regional espionage and disruption, with its tactics remaining consistent over several years of observed operations.

Incidents
Attributed incidents available to members
1 incident
Sources
Sources available to members
1 source