Pakistan Got Hit By Confucius Hackers via New WooperStealer and Anondoor Malware
“Recently, Pakistan got hit by Confucius Hackers using the New WooperStealer and Anondoor Malware.”
A recent phishing effort targeting Pakistan using malware families like WooperStealer and Anondoor has been linked to the threat actor known as Confucius.
Cara Lin, Researcher, Fortinet FortiGuard Labs
| “Using spear-phishing and malicious documents as initial access vectors, Confucius has frequently targeted government agencies, military organizations, defense contractors, and key businesses, particularly in Pakistan, during the past ten years.”
“The group has shown great flexibility, adjusting its toolkit to fit changing intelligence-gathering priorities and adding obfuscation measures to avoid discovery.”
“Its latest efforts demonstrate Confucius’ tenacity as well as its capacity to quickly switch between methods, infrastructure, and malware families to preserve operational efficacy.”
“To ensure persistent and covert data exfiltration without warning the user or security systems, the malware waits for a configurable duration and retries transferring the data up to 20 times, logging failures.” |
An established hacker collective known as Confucius is thought to have been active in South Asia since 2013. The threat actor’s use of the Python-based backdoor Anondoor in recent campaigns indicates a development in the group’s technological agility and tradecraft.
Sometime in December 2024, one of the attack chains that Fortinet reported targeted users in Pakistan by deceiving them into opening a .PPSX file, which subsequently used DLL side-loading tactics to initiate the delivery of WooperStealer.
It has been discovered that a further assault wave, which was noticed in March 2025, uses Windows shortcut (.LNK) files to release the malicious WooperStealer DLL, which is once more started via DLL side-loading, to steal private information from victim computers.
Similar techniques were used by the LNK file discovered in August 2025 to sideload a malicious DLL. However, this time, the DLL opens the door for Anondoor, a Python implant that is intended to steal device data and send it to an external server, where it waits for additional tasks to carry out commands, take screenshots, list files and directories, and retrieve Google Chrome passwords.
Notably, Seebug’s KnownSec 404 Team documented the threat actor’s use of Anondoor in July 2025. The threat actor is aiming for a shift towards long-term monitoring and persistence when they move from using information stealers to a backdoor. /p>
K7 Security Labs revealed an infection sequence linked to the Patchwork group that starts with a malicious macro intended to download a compromised .LNK file that contains PowerShell code that launches the main malware while showing a fake PDF document. It also uses DLL side-loading to obtain additional payloads.
For its part, the last payload connects to the threat actor’s command-and-control (C2) server, collects system data, and obtains an encoded command that is then decrypted for use with cmd.exe.
Additionally, it has the ability to download files from a remote URL, upload files from the computer, capture screenshots, and save the data locally in a temporary directory.
About The Author
Suraj Koli is a content specialist in technical writing about cybersecurity & information security. He has written many amazing articles related to cybersecurity concepts, with the latest trends in cyber awareness and ethical hacking. Find out more about “Him.”
Read More:
Red Hat Confirms Data Breach: Hackers Steal 570 GB of Private GitHub Repositories
About Author
English