The threat actor known as Confucius is attributed to a new phishing campaign targeting Pakistan, which has malware families such as Wooperstealer and Anondoor.
“For the past decade, Confucius has repeatedly targeted government agencies, military organizations, defense contractors, especially important industries in Pakistan.
Confucius has been active since 2013 and is a long-term hacking group believed to be active throughout South Asia. A recent campaign conducted by threat actors employs a Python-based backdoor called Anondoor, showing the group’s evolution of commerce and its technical agility.
One of the attack chains targeted at Pakistani users in December 2024 will trick the recipient into opening a .ppsx file and use DLL sideload technology to trigger the delivery of WooperSteler.
The subsequent attack wave, observed in March 2025, unleashed the malicious Wooperstealer DLL using a Windows shortcut (.lnk) file, then rebooted using DLL sideloads, and stole sensitive data from the compromised host.
Another .lnk file discovered in August 2025 utilized similar tactics to remove the malformed dlls. This time, DLL opens the way to Anondoor. This is waiting for further tasks to remove device information to an external server and execute commands, screenshots, screenshots, and directory passwords.
It is worth noting that the use of threat actor Anondoor was documented in July 2025 by SeeBug’s known Sec 404 team.
“This group has tweaked that toolset to demonstrate strong adaptability, avoid detection, adjust its toolset and change the prioritization of intelligence collection,” Fortinet said. “Recent campaigns have demonstrated Confucius’ sustainability as well as its ability to pivot quickly among its methods, infrastructure and malware families, maintaining operational effectiveness.”
Disclosure occurs when the K7 Security Lab details infection sequences associated with patchwork groups in detail. This starts with a malicious macro designed to download additional payloads, leverage DLL sideload to launch primary malware, and simultaneously download PowerShell code that takes advantage of DLL sideload while simultaneously displaying decoy PDF documents.
The final payload establishes contact with the threat actor’s command and control (C2) server, collects system information, and retrieves encoded instructions that are decrypted to execute using CMD.exe. It also has equipment to take screenshots, upload files from your machine, download files from a remote URL, and save them locally in a temporary directory.
“Malware waits for a configurable period to resend data up to 20 times, tracking out failures and ensuring persistent, stealth data removal without warning users or security systems,” the company said.
