Oct 02, 2025Ravie LakshmananMalware / Cyber Espionage
The risk actor often known as Confucius has been attributed to a brand new phishing marketing campaign that has focused Pakistan with malware households like WooperStealer and Anondoor.
“Over the previous decade, Confucius has repeatedly focused authorities businesses, navy organizations, protection contractors, and important industries — particularly in Pakistan – utilizing spear-phishing and malicious paperwork as preliminary entry vectors,” Fortinet FortiGuard Labs researcher Cara Lin mentioned.
Confucius is a long-running hacking group that is believed to have been energetic since 2013 and working throughout South Asia. Latest campaigns undertaken by the risk actor have employed a Python-based backdoor known as Anondoor, signaling an evolution of the group’s tradecraft and its technical agility.
One of many assault chains documented by Fortinet focused customers in Pakistan someday in December 2024, tricking recipients into opening a .PPSX file, which then triggers the supply of WooperStealer utilizing DLL side-loading strategies.
A subsequent assault wave noticed in March 2025 has been discovered to make use of Home windows shortcut (.LNK) recordsdata to unleash the malicious WooperStealer DLL, once more launched utilizing DLL side-loading, to steal delicate information from compromised hosts.
One other .LNK file noticed in August 2025 additionally leveraged related techniques to sideload a rogue DLL, solely this time the DLL paves the way in which for Anondoor, a Python implant that is designed to exfiltrate gadget data to an exterior server and await additional duties to execute instructions, take screenshots, enumerate recordsdata and directories, and dump passwords from Google Chrome.
It is value noting that the risk actor’s use of Anondoor was documented in July 2025 by Seebug’s KnownSec 404 Workforce.
“The group has demonstrated robust adaptability, layering obfuscation strategies to evade detection and tailoring its toolset to align with shifting intelligence-gathering priorities,” Fortinet mentioned. “Its current campaigns not solely illustrate Confucius’ persistence but additionally its skill to pivot quickly between strategies, infrastructure, and malware households to keep up operational effectiveness.”
The disclosure comes as K7 Safety Labs detailed an an infection sequence related to the Patchwork group that commences with a malicious macro that is designed to obtain a .LNK file containing PowerShell code chargeable for downloading extra payloads and leveraging DLL side-loading to launch the first malware whereas concurrently displaying a decoy PDF doc.
The ultimate payload, for its half, establishes contact with the risk actor’s command-and-control (C2) server, gathers system data, and retrieves an encoded instruction that is subsequently decrypted for execution utilizing cmd.exe. It is also geared up to take screenshots, add recordsdata from the machine, and obtain recordsdata from a distant URL and save them domestically in a brief listing.
“The malware waits for a configurable interval and retries sending the info as much as 20 occasions, monitoring failures to make sure persistent and stealthy information exfiltration with out alerting the person or safety methods,” the corporate mentioned.
