Confucius Group Activities: Thieves Target Pakistani Civil Servants

Report of the Antiy Avl Threat Intelligence Team describes the activities of APT-group Confucius (APT59), which has been active since 2013. The group primarily targets state institutions, military, and nuclear facilities in Pakistan and other countries of South Asia.

According to AVL, Confucius utilizes malicious Android applications called Sunbird and Hornbill to carry out data theft from devices. The activity of these applications has been monitored since May 2023.

The malicious applications are disguised as Google updates and prompt users to grant various permissions on their devices. Once authorized, the applications request device manager permits and hide their icons upon successful resolution. Subsequently, the applications proceed to steal photographs, messages, contacts, WhatsApp chats, user information, and data on connected mobile devices. Additionally, the applications are designed to automatically start on smartphones from Xiaomi, Oppo, Vivo, Letv, and Honor.

The attacks are orchestrated using servers with IP addresses originating from the United States. The primary focus of these attacks is the Kashmir region and other areas within India. Over 50 victims have been identified, including civil servants in Kashmir, military personnel, and employees of the Indian cosmetic company Baccarose.

/Reports, release notes, official announcements.