Threat Research

Confucius Espionage: From Stealer to Backdoor

Fortinet
Confucius Espionage: From Stealer to Backdoor

Confucius, a long-running espionage actor active primarily in South Asia, has evolved from using document stealers like WooperStealer to deploying Python-based backdoors such as AnonDoor, leveraging spear-phishing, malicious LNK files, OLE objects, DLL side-loading, and scheduled tasks for persistence. Recent campaigns targeted Microsoft Windows users in Pakistan and exfiltrated a wide range of files to domains including marshmellowflowerscar.info and bloomwpp.info. #WooperStealer #AnonDoor

Keypoints

  • Confucius has operated since 2013 and primarily targets government, military, defense contractors, and critical industries in South Asia, especially Pakistan.
  • Initial access vectors included weaponized Office documents with embedded OLE objects and malicious LNK files delivered via spear-phishing emails.
  • Attack chains used VBScript/PowerShell downloaders, MSIL downloaders, DLL side-loading (copying fixmapi.exe to BlueAle.exe/Swom.exe), and registry/scheduled-task persistence.
  • Final-stage payloads included WooperStealer (exfiltrates many file types) and a new Python-based backdoor, AnonDoor (pyc backdoor with modular commands).
  • AnonDoor fingerprints hosts, inventories drives, contacts C2, and supports commands like CmdExecution, Screenshoot, fileListing, DownloadFile, FolderDownload, basicinfo, and PasswordDumper.
  • Campaign infrastructure included multiple malicious domains (e.g., greenxeonsr.info, petricgreen.info, bloomwpp.info) used for hosting payloads and C2.
  • Fortinet detections and protections (FortiGuard AV, FortiGate, FortiMail, FortiClient, FortiEDR, FortiGuard CDR) cover the observed malware and delivery mechanisms.

MITRE Techniques

  • [T1566 ] Phishing – used spear-phishing emails with authority spoofing and action-oriented requests to entice victims to open malicious attachments (“phishing email campaign targeted users in Pakistan”).
  • [T1204 ] User Execution – weaponized Office documents and LNK files relied on victims opening files/presented decoys (Document.ppsx showed “Corrupted Page” and LNK opened a PDF as distraction).
  • [T1202 ] Indirect Command Execution (Malicious Script) – embedded OLE objects and VBScript/PowerShell downloaders executed remote scripts to fetch payloads (“embedded OLE object … triggered a script … from the remote URL greenxeonsr.info”).
  • [T1218 ] Signed Binary Proxy Execution (DLL Side-Loading) – attackers copied C:WindowsSystem32fixmapi.exe to user locations and launched it to side-load malicious Mapistub.dll/ python313.dll (“copies C:WindowsSystem32fixmapi.exe … as Swom.exe … DLL side-loading and execute the malicious DLL Mapistub.dll”).
  • [T1105 ] Ingress Tool Transfer – downloaders fetched payloads and wrote them to disk (MSXML2.XMLHTTP/ADODB.Stream used to save Mapistub.dll from hxxps://greenxeonsr[.]info/Jsdfwejhrg.rko).
  • [T1547 ] Boot or Logon Autostart Execution (Registry) – persistence via registry entries under HKCUSOFTWAREMicrosoftWindows NTCurrentVersionWindowsload pointing to the dropped executable (“writes a registry string value … for persistence”).
  • [T1053 ] Scheduled Task/Job – persistence and stealthy execution via scheduled task NetPolicyUpdate that runs pythonw.exe every 5 minutes (“creates a task named NetPolicyUpdate … executes pythonw.exe … every 5 minutes”).
  • [T1027 ] Obfuscated Files or Information – heavy obfuscation, long numeric arrays decoded into scripts, Base64-encoded strings, and hard-coded methods used to hide behavior (“applies a long numeric array … to reconstruct a script”, “DLL embedded two Base64-encoded strings”).
  • [T1005 ] Data from Local System (File and Directory Discovery) – WooperStealer collected many file types and AnonDoor performed fileListing and directory inventory (“configured to collect a wide range of file types”, “fileListing … Directory_listing … FolderDownload”).
  • [T1071 ] Application Layer Protocol (HTTP/S) – C2 communication and file uploads used HTTP(S) POST/GET to domains like marshmellowflowerscar.info and bloomwpp.info (“uploads stolen data to the remote URL hxxp://marshmellowflowerscar[.]info”, “contacts its C2 server … bloomwpp.info”).
  • [T1113 ] Screen Capture – AnonDoor supports a Screenshoot command that captures the victim’s screen and sends a Base64-encoded PNG to C2 (“used to capture the victim’s screen … builds PNG data … sends it back to the C2 server”).
  • [T1003 ] Credentials from Web Browsers (Password Dumping) – PasswordDumper command downloads helpers to extract stored credentials from browsers like Firefox and Edge (“Fohjdfj783mq9XX.py is for Firefox, and Fodkh3897mgfdjiuED.py is for Edge”).

Indicators of Compromise

  • [Domain ] payload/C2 hosting and exfiltration – greenxeonsr.info, marshmellowflowerscar.info, bloomwpp.info, petricgreen.info (multiple campaign domains used to host downloaders, payloads, and C2).
  • [File Hash – PPSX ] malicious document – c91917ff2cc3b843cf9f65e5798cd2e668a93e09802daa50e55a842ba9e505de (Document.ppsx sample hash).
  • [File Hash – LNK ] malicious shortcut – 5a0dd2451a1661d12ab1e589124ff8ecd2c2ad55c8f35445ba9cf5e3215f977e… (LNK sample hash and others).
  • [File Hash – DLL ] loader/stub DLL – 8603b9fa8a6886861571fd8400d96a705eb6258821c6ebc679476d1b92dcd09e2 (mapistub.dll/python313.dll style DLL hash).
  • [File Hash – PYC ] Python backdoor – 06b8f395fc6b4fda8d36482a4301a529c21c60c107cbe936e558aef9f56b84f6 (winresume.pyc / AnonDoor PYC file hash).

Read more: https://feeds.fortinet.com/~/925674278/0/fortinet/blog/threat-research~Confucius-Espionage-From-Stealer-to-Backdoor