The persistent threat group known as Confucius has been linked to a new phishing campaign specifically targeting Pakistan with malware like WooperStealer and the Python-based backdoor Anondoor.
Targeting and Tactics
Confucius is a long-running hacking group believed to be active since 2013 across South Asia. The group consistently targets government agencies, military organizations, defense contractors, and critical industries, especially in Pakistan, using spear-phishing and malicious documents as the initial attack vectors.
Fortinet FortiGuard Labs highlighted the group's evolving tradecraft, noting their recent use of the Python backdoor Anondoor. Fortinet documented a Confucius attack chain in December 2024 that tricked Pakistani recipients into opening a .PPSX file. This file then used DLL side-loading techniques to deploy the WooperStealer malware.
A subsequent wave in March 2025 utilized Windows shortcut (.LNK) files to unleash the malicious WooperStealer DLL, again via DLL side-loading, to steal sensitive data from compromised systems.
The Anondoor Backdoor
The most recent activity, observed in August 2025, also used a .LNK file and similar sideloading tactics. This time, the rogue DLL delivered Anondoor, a Python implant designed to exfiltrate device information and await further instructions. Anondoor is capable of executing commands, taking screenshots, browsing files and directories, and stealing passwords from Google Chrome.
Fortinet noted that Confucius shows "strong adaptability, layering obfuscation techniques to evade detection and tailoring its toolset to align with shifting intelligence-gathering priorities." The recent campaigns demonstrate the group's persistence and its ability to rapidly change techniques, infrastructure, and malware to maintain effectiveness.
Similar Campaign from Patchwork
This disclosure comes as K7 Security Labs detailed a separate infection sequence associated with the Patchwork group. That attack begins with a malicious macro that downloads a .LNK file containing PowerShell code. This code downloads additional payloads and uses DLL side-loading to launch the primary malware while simultaneously displaying a decoy PDF document to the user.
Patchwork's final payload connects with the threat actor's command-and-control (C2) server, gathers system information, and executes an encoded instruction. It is also designed to take screenshots, upload local files, and download remote files. K7 Security Labs stated that the malware "waits for a configurable period and retries sending the data up to 20 times, tracking failures to ensure persistent and stealthy data exfiltration."
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
