The Confucius group, a long-running cyber-espionage actor first identified in 2013, has resurfaced with a new wave of operations across South Asia. In its latest analysis, FortiGuard Labs highlights how the group continues to refine its toolset, shifting from legacy stealers like WooperStealer to advanced Python-based backdoors such as AnonDoor.
According to Fortinet, “The Confucius group is a long-running cyber-espionage actor operating primarily across South Asia … repeatedly targeting government agencies, military organizations, defense contractors, and critical industries—especially in Pakistan.”
Over the past several months, the group has leveraged weaponized Office documents, malicious LNK files, custom Python RATs, and layered obfuscation techniques to evade detection and maintain long-term access.
In late 2024, Confucius launched a phishing campaign against users in Pakistan. Emails used authority spoofing and minimal context to push a malicious attachment named Document.ppsx.
When opened, the file displayed a fake “Corrupted Page” error, but behind the scenes, an embedded OLE object retrieved a script from a remote server. FortiGuard explains: “The mango44NX.doc file is a VBScript that forms a compact dropper … it downloads a remote payload, writes the raw response bytes into %LocalAppData%Mapistub.dll, and achieves DLL side-loading through Swom.exe.”
The campaign ultimately delivered WooperStealer, configured to exfiltrate documents, archives, images, and emails, uploading them to attacker-controlled servers.
By early 2025, Confucius shifted to LNK-based infection chains. One sample, disguised as Invoice_Jan25.pdf.lnk, dropped a decoy PDF while sideloading a malicious DLL.
The DLL established persistence, decoded embedded Base64 strings, and contacted remote hosts to fetch the final payload. As Fortinet notes, “The final payload was again identified as WooperStealer, this time with minor modifications to its target list of file extensions.”
This version also improved efficiency by hashing stolen files before exfiltration to avoid duplicate uploads.
In its latest observed campaigns, Confucius introduced a Python-based variant of AnonDoor. Delivered through another malicious LNK (NLC.pdf.lnk), the chain downloaded python313.dll and used DLL side-loading to execute the payload.
Unlike earlier WooperStealer campaigns, this build installed Scoop to prepare a Python runtime environment. FortiGuard describes the shift: “Unlike previous campaigns that deployed WooperStealer, python313.dll sets up an execution environment for a new Python-based backdoor … which collects system information, contacts its C2 server, and receives commands for further action.”
The AnonDoor backdoor fingerprints victims, captures screenshots, inventories drives, and executes commands while disguising its persistence via scheduled tasks. It also includes a PasswordDumper module, with separate helpers for Firefox and Edge credential theft.
FortiGuard Labs concludes that Confucius has shown a ability to adapt: “Our analysis reveals how the Confucius group has continually evolved its techniques, adopting diverse file types as initial access vectors and chaining OLE objects, malicious scripts, LNK files, PowerShell loaders, MSIL downloaders, and heavily obfuscated payloads to evade detection.”
By cycling between WooperStealer, MSIL-based AnonDoor, and Python-based AnonDoor, the group has demonstrated both toolchain flexibility and persistence in achieving its espionage objectives.
- Confucius Group Evolves: Researcher Uncovers New Modular Backdoor “Anondoor” in Latest Espionage Campaign
- New Agent Tesla Spyware Variant was spread via Microsoft Word documents
- Linux Kernel 6.6: Embracing Stability with Long-Term Support
- Warning: Discord’s API Exploited for Malicious Takeover
- Inside a Python Infostealer: How Attackers Abuse Legitimate Platforms for Credential Theft
