The Confucius group (G0142), a South Asia-based advanced persistent threat (APT) actor active since 2013, has intensified its cyber-espionage operations targeting government, defense, military, and critical infrastructure sectors in Pakistan. This latest campaign, observed in August 2025, reveals the use of two key malware families — WooperStealer and the new AnonDoor Python-based backdoor.
The Confucius APT has evolved from using lightweight information stealers to deploying modular Python backdoors that ensure long-term surveillance, persistence, and remote access. This strategic shift underscores the group’s objective to establish sustained espionage footholds across sensitive networks while avoiding early detection.
The Confucius group continues its hallmark approach of targeted spear-phishing to infiltrate high-value organizations. These phishing emails leverage authority spoofing and contextually relevant decoys to trick users into executing malicious attachments. Once opened, decoy documents display legitimate-looking content while deploying hidden malware payloads.
Initial stages of the infection chain utilize malicious LNK shortcuts and DLL side-loading to execute downloader Trojans. These loaders exploit legitimate binaries to evade antivirus detection and fetch secondary components, including WooperStealer and AnonDoor.
December 2024: WooperStealer was distributed through DLL side-loading lures.
March 2025: Follow-up campaigns employed LNK shortcuts to facilitate data exfiltration.
August 2025: Confucius transitioned to AnonDoor, a Python-based modular backdoor that supports persistent access, data collection, and host profiling through file enumeration and screenshot capture.
AnonDoor’s modular architecture allows operators to deploy new payloads, update modules, and manage infected endpoints without changing command-and-control infrastructure. This signals a tactical evolution from short-term data theft to long-term intelligence collection.
Overall, the Confucius group’s campaign demonstrates a highly adaptive espionage operation engineered for stealth, persistence, and scalability across Windows environments.
Implement Network Segmentation and Zero Trust Architecture: Divide networks to contain lateral movement. Enforce identity verification and device health checks before granting access.
Harden File System Permissions: Audit access rights for sensitive directories. Restrict write permissions and disable unnecessary file sharing using ACLs.
Enhance Email Security and Awareness: Deploy advanced phishing filters and train employees to identify and report spoofed or urgent email requests.
Restrict Privileged Access: Apply the least-privilege principle to minimize exposure of administrative accounts and reduce the impact of compromised credentials.
Monitor for Anomalous Behavior: Regularly inspect system logs for PowerShell or DLL side-loading activities associated with AnonDoor or WooperStealer infections.
Domains
marshmellowflowerscar[.]info
greenxeonsr[.]info
cornfieldblue[.]info
hauntedfishtree[.]info
petricgreen[.]info
bloomwpp[.]info
dropmicis[.]info
martkartout[.]info
SHA256 Hashes
c91917ff2cc3b843cf9f65e5798cd2e668a93e09802daa50e55a842ba9e505de
5a0dd2451a1661d12ab1e589124ff8ecd2c2ad55c8f35445ba9cf5e3215f977e
4206ab93ac9781c8367d8675292193625573c2aaacf8feeaddd5b0cc9136d2d1
8603b9fa8a6886861571fd8400d96a705eb6258821c6ebc679476d1b92dcd09e
24b06b5caad5b09729ccaffa5a43352afd2da2c29c3675b17cae975b7d2a1e62
13ca36012dd66a7fa2f97d8a9577a7e71d8d41345ef65bf3d24ea5ebbb7c5ce1
06b8f395fc6b4fda8d36482a4301a529c21c60c107cbe936e558aef9f56b84f6
11391799ae242609304ef71b0efb571f11ac412488ba69d6efc54557447d022f
abefd29c85d69f35f3cf8f5e6a2be76834416cc43d87d1f6643470b359ed4b1b
URL
hxxps[:]//bloomwpp[.]info/hjdfyebvghu[.]pyc
TA0001 Initial Access – T1566, T1566.001 (Spearphishing Attachment)
TA0002 Execution – T1059, T1059.001 (PowerShell), T1059.006 (Python)
TA0003 Persistence – T1053, T1053.005 (Scheduled Task)
TA0005 Defense Evasion – T1218, T1218.011 (Rundll32), T1027 (Obfuscated Files)
TA0007 Discovery – T1082 (System Information Discovery), T1083 (File and Directory Discovery), T1087 (Account Discovery)
TA0009 Collection – T1113 (Screen Capture), T1005 (Data from Local System)
TA0010 Exfiltration – T1041 (Exfiltration Over C2 Channel)
TA0011 Command and Control – T1071, T1071.001 (Web Protocols)
Get through updates and upcoming events, and more directly in your inbox