Researchers have uncovered a new phishing campaign by the Confucius threat actor, a South Asia–focused advanced persistent threat (APT) group. The campaign targets government and strategic organizations in Pakistan, deploying two key malware families: WooperStealer and Anondoor.
This marks another escalation in Confucius’ ongoing efforts to conduct long-term espionage operations in the region.
hishing as the Initial Vector
The campaign begins with phishing emails carrying PPSX slideshow files and malicious LNK shortcuts. When opened, these files trigger DLL side-loading attacks, which eventually deliver the malware payloads.
As a result, victims unknowingly initiate the installation of WooperStealer and secondary backdoors, giving attackers a foothold in their systems.
WooperStealer: Credential and Data Theft
The first stage malware, WooperStealer, is designed to harvest sensitive information. Its features include:
-
Stealing browser-stored credentials
-
Capturing screenshots of user activity
-
Collecting files of interest from local drives
-
Exfiltrating data to attacker controlled servers
This stealer allows attackers to quickly obtain authentication data and reconnaissance details before deploying further malware.
Anondoor: A Persistent Python Backdoor
Once initial theft is complete, the attackers deploy Anondoor, a custom Python-based implant. It provides:
-
Remote command execution
-
File upload and download capabilities
-
Persistence mechanisms for long-term access
-
Covert communication with C2 infrastructure
With Anondoor in place, attackers
The combination of phishing, WooperStealer, and Anondoor creates a powerful attack chain. By stealing credentials and installing a persistent backdoor, Confucius can:
-
Access sensitive government communications
-
Exfiltrate classified documents
-
Monitor systems for extended periods
-
Escalate privileges within target networks
Therefore, the campaign represents a significant risk to national security and critical infrastructure in Pakistan.
Defensive Measures
Researchers recommend organizations in the region adopt stronger defenses, including:
-
Block suspicious attachments like PPSX and LNK files at the email gateway.
-
Use advanced EDR tools capable of detecting DLL side-loading.
-
Enforce multi-factor authentication (MFA) to reduce credential theft impact.
-
Regularly audit accounts and permissions for anomalies.
-
Segment high-value networks to limit lateral movement.
Additionally, continuous threat intelligence sharing among regional entities is critical for early detection of Confucius activity.
The Confucius APT continues to refine its toolkit, now using WooperStealer for initial data theft and Anondoor for persistence in Pakistani networks.
This campaign highlights the enduring threat posed by state aligned espionage groups and underscores the urgent need for layered defenses, user awareness, and cross-organization intelligence collaboration.
FAQs
Q: Who is behind the WooperStealer and Anondoor campaign?
A: The attacks were launched by the Confucius APT group, known for espionage operations in South Asia.
Q: How are the attacks delivered?
A: Through phishing emails containing malicious PPSX and LNK files that load malware via DLL side-loading.
Q: What does WooperStealer do?
A: It steals credentials, captures screenshots, and exfiltrates data from infected systems.
Q: What is Anondoor?
A: A Python-based backdoor used to execute commands, upload/download files, and maintain persistence.
