Deciphering Confucius’ Cyberespionage Operations
Probing Confucius’ infrastructure, we came across websites offering Windows and Android chat applications, most likely iterations of its predecessor, Simple Chat Point: Secret Chat Point, and Tweety Chat. While the chat applications indeed have real chat features (although the communication is not anonymous, as advertised), they have backdoor routines and file-stealing behaviors that get triggered when specific words are sent to the app: collecting and harvesting all SMS messages, contacts, and accounts. We further tested Tweety Chat and saw red flags indicating their targets of interest: verification emails with a physical address whose postal code is assigned to a provincial capital that also appears (upon logging in) as a chat channel in Tweety Chat. He was probably either using the Windows version of Secret Chat Point or its web interface, which explains why hayat22 was urging him to install Android Tweety Chat. In an earlier chat group, an operator called Heena urged the members to install Secret Chat Point on other people’s mobile devices to get perks like credits or the ability to “go invisible”.