Confucius APT Is Exploiting the “Pegasus” Spyware Worries to Trick Pakistanis

Published on August 18, 2021
Written by:
Bill Toulas
Bill Toulas
Cybersecurity Journalist

The pro-India actor known as ‘Confucius’ has been noticed using lures relevant to the “Pegasus” Israeli spyware tool, spreading malicious documents through spear-phishing email campaigns. The actors' goal appears to be to compromise Pakistani people who are linked with ideas and groups thought to be of high risk for India's national security. As such, the spoofed origin used for distributing the emails is generally nationalistic, impersonating the Pakistani Armed Forces or even the government.

The relevant report comes from Trend Micro, who sampled quite a few emails distributed by the ‘Confucius’ APT from the following email addresses. All emails were sent via a Pakistan-based ExpressVPN server in order to not raise any alarms and achieve better distribution rates.

Source: Trend Micro

The email content is something that would trigger the interest of the recipient, like, for example, the Pegasus spyware and how it can infect phones through click-less and totally stealthy attacks. If the victim clicks on the link hoping to read the document containing the details, they end up seeing a document that attempts to trick them into enabling content to let the malicious macros run loose on their system.

Source: Trend Micro

If the victim reaches this unfortunate step, a series of DLL files are decoded and loaded into memory, and eventually, a file-stealer is dropped onto the victim’s machine. That final payload is also a NET DLL, which is designed to steal a wide range of document and media files from the folders “Documents,” “Downloads,” “Desktop,” and “Pictures” of every user who has an account on the Windows system.

Everything is sent to the C2, currently on “pirnaram[.]xyz”. The exfiltration of the data isn’t done through PHP scripts but via FTP server instead, providing better stealthiness to the operation.

Source: Trend Micro

In February, the Lookout Threat Intelligence team discovered two new Android spyware samples that appeared to belong to ‘Confucius,’ namely the “Hornbill” and “SunBird”. These two were again spoofing popular Pakistani apps like the ‘Kashmir News’ and ‘Quran Majeed,’ aiming to steal information from the compromised smartphones. It is clear that the particular actor is insisting on the same targeting habits but constantly updates the scope and methods.



For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: