Free, Unbiased, and Open threat intelligence

Confucius APT Espionage Campaign: Evolution from WooperStealer to AnonDoor Backdoor

threat Profile

HIGH
Fortinet FortiGuard Labs

Description

Long-running cyber-espionage campaign by Confucius APT group targeting Pakistan government agencies, military organizations, defense contractors, and critical industries. The campaign evolved from December 2024 through August 2025, demonstrating sophisticated tactics including weaponized Office documents, malicious LNK files, DLL side-loading, and deployment of WooperStealer and Python-based AnonDoor backdoor for persistent access and data exfiltration.

MITRE ATT&CK Techniques

T1566.001 - Phishing: Spearphishing Attachment T1204.002 - User Execution: Malicious File T1559.001 - Inter-Process Communication: Component Object Model T1027 - Obfuscated Files or Information T1574.002 - Hijack Execution Flow: DLL Side-Loading T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder T1053.005 - Scheduled Task/Job: Scheduled Task T1140 - Deobfuscate/Decode Files or Information T1059.001 - Command and Scripting Interpreter: PowerShell T1059.006 - Command and Scripting Interpreter: Python T1071.001 - Application Layer Protocol: Web Protocols T1005 - Data from Local System T1005 - Data from Removable Media T1113 - Screen Capture T1082 - System Information Discovery T1083 - File and Directory Discovery T1057 - Process Discovery T1016 - System Network Configuration Discovery T1614 - System Location Discovery T1049 - System Network Connections Discovery T1555.003 - Credentials from Password Stores: Credentials from Web Browsers T1074.001 - Data Staged: Local Data Staging T1041 - Exfiltration Over C2 Channel T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol

Related Entities

Threat Actors

Confucius

Indicators of Compromise (10)

06b8f395fc6b4fda8d36482a4301a529c21c60c107cbe936e558aef9f56b84f6
SHA256 hash of winresume.pyc AnonDoor Python backdoor
13ca36012dd66a7fa2f97d8a9577a7e71d8d41345ef65bf3d24ea5ebbb7c5ce1
SHA256 hash of malicious python313.dll (August 2025)
greenxeonsr.info
Distribution server for initial payload delivery (December 2024)
dropmicis.info
Infrastructure associated with Confucius campaign
hauntedfishtree.info
Secondary C2 server for stealer activity (December 2024)
%AppData%\Swom.exe
Legitimate fixmapi.exe copied for DLL side-loading
5a0dd2451a1661d12ab1e589124ff8ecd2c2ad55c8f35445ba9cf5e3215f977e
SHA256 hash of Invoice_Jan25.pdf.lnk malicious LNK file (March 2025)
%LocalAppData%\Mapistub.dll
Malicious DLL dropped by VBScript dropper
cornfieldblue.info
Secondary C2 server for stealer activity (December 2024)
c91917ff2cc3b843cf9f65e5798cd2e668a93e09802daa50e55a842ba9e505de
SHA256 hash of malicious Document.ppsx file (December 2024)

Metadata

Published

8 months ago

Views

7