Malware, Threat Intelligence, Email security

Confucius threat group shifts tactics from infostealers to backdoors

Over the past year, the Confucius threat group has shifted from deploying infostealer malware to installing backdoors on victims’ machines, Fortinet reported Thursday.

The South Asia-based threat group, which has been active since 2013, has been known to leverage a document-stealing malware called WooperStealer, with campaigns leveraging this infostealer being observed as recently as March 2025.

However, an attack in August 2025 marked a notable shift with the deployment of the Python-based backdoor known as AnonDoor. Additionally, Confucius has changed its initial access method, sending out emails with LNK attachments in place of its original PowerPoint lures.

WooperStealer attacks shift from PPT to LNK

Fortinet’s report outlines a timeline of three distinct attacks from December 2024 to August 2025; the initial attack leveraged a PowerPoint named “Document.ppsx” with an embedded Object Link and Embedding (OLE) object that retrieves and runs the file mango44NX.doc from a remote URL.

This file is a VBScript dropper that downloads an additional payload from the same remote domain writing this to %LocalAppData%\Mapistub.dll which is ultimately sideloaded into a copy of the legitimate Windows utility fixmapi.exe, renamed to Swom.exe. The VBScript also establishes persistence by creating a registry entry that points to Swom.exe.

The sideloaded DLL serves as another staging component that contacts two other remote hosts, then installs the final payload WooperStealer. WooperStealer targets files with specific extensions including .txt, .pdf, .doc, .xls, .png, .jpeg, .ppt and .zip, and exfiltrates them to another remote URL.

WooperStealer was spotted in another attack in March 2025 with a different initial access vector—an LNK attachment. Rather than utilizing a VBScript dropper, this attack used a curl shell command to retrieve mapistub.dll from a remote server, sideloading it into fixmapi.exe renamed to BlueAle.exe and also deploying a decoy PDF to distract the user.

This WooperStealer attack targeted a slightly different list of file types and also leveraged the C:\Windows\Tasks directory for persistence in addition to registry entries, but largely displayed similar methods to the December attack.

New Confucius espionage method: AnonDoor backdoor

Confucius continued to use LNK attachments for initial access in August 2025, but began using a new backdoor payload in place of infostealer deployment.

Fortinet found that a malicious attachment disguised as a PDF, NLC.pdf.lnk, used the curl command to retrieve the DLL python313.dll. Similar to the previous attack, the DLL was sideloaded using a file named BlueAle.exe and a decoy PDF was displayed while the stage was set for backdoor deployment.

A temporary PowerShell script is used to install Scoop and configure environment variables to ensure error-free execution of the Python code. The file winresume.pyc is then downloaded and written to the %LOCALAPPDATA% directory and a scheduled task is set up to execute pythonw.exe using winresume.pyc as an argument every 5 minutes, establishing backdoor access.

AnonDoor fingerprints the host, collecting basic machine information and geolocation, inventorying storage space with the Windows API GetDiskFreeSpaceExW and enumerating all drives from A to Z.

The backdoor can execute a range of commands received from its command-and-control (C2) server, including CmdExecution for arbitrary command execution, Screenshoot for screenshot collection, DownloadFile for exfiltrating files and PasswordDumper for downloading additional Python-based tools to steal credentials from the Mozilla Firefox and Microsoft Edge browsers.

Confucius’ attacks mainly target organizations in Pakistan, including government agencies, military organizations and defense contractors, and other critical infrastructure industries. It uses heavy obfuscation to conceal its payloads, and as its tactics further evolves, Fortinet urges organizations to maintain awareness of the latest indicators of compromise (IoCs) and available threat intelligence to defend themselves.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds