Confucius APT Targets Pakistan with WooperStealer and New Python-Based Anondoor Backdoor

The hacker group Confucius, active in South Asia since at least 2013, has intensified malicious operations against Pakistani organizations. Fortinet researchers documented a fresh wave of intrusions leveraging two malware families — WooperStealer and Anondoor.

The campaign chiefly targets military bodies, government agencies, and critical national sectors, with phishing emails bearing malicious attachments remaining the primary intrusion vector.

Attacks observed in December 2024 began with recipients opening a .PPSX file, which subsequently staged the deployment of WooperStealer. Operators abused DLL side-loading — hiding a malicious library behind a legitimate binary so the payload executes in the context of a trusted process.

In March 2025, investigators recorded another surge that used .LNK shortcuts to relaunch WooperStealer via DLL injection to exfiltrate sensitive data from compromised hosts. A similar technique reappeared in August, but this time the payload delivered Anondoor — a full-featured Python-based remote shell. Anondoor harvests device telemetry to a remote server and can execute additional commands, including taking screenshots, enumerating the filesystem, and extracting stored credentials from Chrome.

In July 2025, China’s KnownSec 404 (Seebug) published findings on Anondoor, noting the group’s shift from episodic data grabs toward sustained, covert presence on victim systems.

Fortinet emphasizes the threat actor’s agility: the group continually morphs its infrastructure, evasion techniques, and toolset, preserving operational capacity and increasing strike effectiveness as priorities change. The evolution from information stealers to persistent backdoors indicates a pronounced interest in long-term surveillance and durable footholds within target networks.

Concurrently, K7 Security Labs reported a new intrusion linked to another espionage operator, Patchwork. In that campaign, a malicious macro dropped an .LNK shortcut embedding a PowerShell script that fetched the main malware module while presenting a decoy PDF to the user. The final-stage payload contacted a command-and-control server, gathered system data, and retrieved encrypted instructions for execution via cmd.exe. Capabilities included screenshot capture, file exfiltration, and fetching additional components from remote hosts. An observed retry mechanism retransmitted data up to twenty times with failure tracking, helping preserve stealth during exfiltration.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy