Confucius APT Expands Cyber Espionage Campaigns Against Pakistan with New Malware Tools
The threat group Confucius, active since at least 2013, has launched a renewed phishing campaign targeting Pakistan, deploying advanced malware families including WooperStealer and the Python-based backdoor Anondoor. According to Fortinet FortiGuard Labs, the group has historically focused on government agencies, military organizations, defense contractors, and critical industries in South Asia, using spear-phishing and malicious documents as initial attack vectors.
Recent activity reveals an evolution in Confucius’ tactics. In December 2024, the group used a malicious .PPSX file to deliver WooperStealer via DLL side-loading, a technique also employed in a March 2025 campaign that leveraged Windows shortcut (.LNK) files to deploy the same malware. By August 2025, Confucius had shifted to Anondoor, a Python-based implant capable of exfiltrating device data, executing commands, capturing screenshots, enumerating files, and stealing Chrome passwords.
The group’s transition from information stealers to backdoors suggests a strategic pivot toward long-term surveillance and persistence. Fortinet notes that Confucius has demonstrated strong adaptability, employing obfuscation techniques and rapidly adjusting its infrastructure and malware to evade detection and align with intelligence-gathering objectives.
Separately, K7 Security Labs reported on a Patchwork APT campaign involving malicious macros that download .LNK files containing PowerShell code. These files initiate DLL side-loading to execute malware while displaying a decoy PDF, ultimately establishing command-and-control (C2) communication to exfiltrate system data, capture screenshots, and transfer files all while employing stealth mechanisms to avoid detection.
Source: https://thehackernews.com/2025/10/confucius-hackers-hit-pakistan-with-new.html
Establishment Division, Government of Pakistan cybersecurity rating report: https://www.rankiteo.com/company/establishment-division-government-of-pakistan
Pakistan Military Accounts Department (PMAD) cybersecurity rating report: https://www.rankiteo.com/company/pakistan-military-accounts-department-pmad
Turkish Aerospace Pakistan cybersecurity rating report: https://www.rankiteo.com/company/turkish-aerospace-pakistan
"id": "ESTPAKTUR1770202197",
"linkid": "establishment-division-government-of-pakistan, pakistan-military-accounts-department-pmad, turkish-aerospace-pakistan",
"type": "Cyber Attack",
"date": "12/2024",
"severity": "100",
"impact": "8",
"explanation": "Attack that could bring to a war"{'affected_entities': [{'industry': ['Government',
'Defense',
'Critical Infrastructure'],
'location': 'Pakistan, South Asia',
'type': ['Government agencies',
'Military organizations',
'Defense contractors',
'Critical industries']}],
'attack_vector': ['Spear-phishing',
'Malicious documents',
'DLL side-loading',
'Windows shortcut (.LNK) files'],
'data_breach': {'data_exfiltration': True,
'personally_identifiable_information': True,
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Device data',
'Chrome passwords',
'System data',
'Screenshots',
'Files']},
'date_detected': '2024-12-01',
'date_publicly_disclosed': '2025-08-01',
'description': 'The threat group Confucius has launched a renewed phishing '
'campaign targeting Pakistan, deploying advanced malware '
'families including WooperStealer and the Python-based '
'backdoor Anondoor. The group has historically focused on '
'government agencies, military organizations, defense '
'contractors, and critical industries in South Asia, using '
'spear-phishing and malicious documents as initial attack '
'vectors. Recent activity reveals an evolution in Confucius’ '
'tactics, including DLL side-loading and the use of Windows '
'shortcut (.LNK) files to deploy malware. The group has '
'shifted from information stealers to backdoors for long-term '
'surveillance and persistence.',
'impact': {'data_compromised': 'Device data, Chrome passwords, system data, '
'screenshots, files',
'identity_theft_risk': 'High'},
'initial_access_broker': {'backdoors_established': True,
'high_value_targets': ['Government agencies',
'Military organizations',
'Defense contractors']},
'investigation_status': 'Ongoing',
'lessons_learned': 'Confucius APT demonstrates strong adaptability, employing '
'obfuscation techniques and rapidly adjusting '
'infrastructure and malware to evade detection and align '
'with intelligence-gathering objectives.',
'motivation': 'Intelligence-gathering, Long-term surveillance',
'post_incident_analysis': {'root_causes': 'Evolution in tactics, use of '
'advanced malware (WooperStealer, '
'Anondoor), DLL side-loading, and '
'Windows shortcut (.LNK) files for '
'initial access.'},
'references': [{'source': 'Fortinet FortiGuard Labs'},
{'source': 'K7 Security Labs'}],
'response': {'third_party_assistance': 'Fortinet FortiGuard Labs, K7 Security '
'Labs'},
'threat_actor': 'Confucius APT',
'title': 'Confucius APT Expands Cyber Espionage Campaigns Against Pakistan '
'with New Malware Tools',
'type': 'Cyber Espionage'}