The first signs of activity attributed to Confucius APT (Advanced Persistent Threat) date back to 2013. The hacker collective has been active since then with the latest wave of attacks taking place in December 2020. It is strongly believed that Confucius is state-sponsored and has exhibited pro-India ties. Throughout the years the main targets government agencies from the Southeast Asia region, Pakistani military individuals, nuclear agencies, and Indian election officials.
The group has mainly focused on data-stealing and reconnaissance operations and that has shaped its malware toolkit. The first one to be attributed to Confucius was ChatSpy. It was deployed as part of a 2017 operation and it acted as a surveillance tool. Between 2016 and 2019, the group was engaged in the active development of the SunBird Malware, an Android spyware threat with expanded capabilities. Although SunBird's functionality also was geared towards data-theft including device identifiers, GPS location, contact lists, call logs, etc, it was designed to specifically target WhatsApp by extracting documents, databases, and images from the application. Furthermore, SunBird was equipped with Remote Access Trojan (RAT) functionality that allowed Confucius to drop additional malware payloads on the already compromised devices.
The latest Confucius operation was observed in December 2020 and it employed an entirely different Android spyware strain. Named Hornbill, it showed the evolution of the group's activities. Indeed, the scope of Hornbill's capabilities was reduced when compared to SunBird but that allowed the threat to act as a more discreet tool designed to selectively collect data from the target. Hornbill lost the RAT functionality but gained the ability to abuse the Android accessibility functions to detect and record active WhatsApp calls.