02.10.2025
2 min
641
The hacker group Confucius has launched a new wave of cyberattacks against Pakistan, using malicious programs WooperStealer and Anondoor, which allow data theft and enable long-term surveillance on infected devices.
According to Fortinet FortiGuard Labs, the campaign began in late 2024 and continued into 2025. Attackers used phishing emails containing .PPSX or .LNK files, which, through the DLL side-loading technique, launched Trojan DLL libraries. In March and August 2025, several waves of attacks were registered using WooperStealer, designed to steal passwords, files, and other confidential information.
The new stage is linked to the appearance of Anondoor — a Python-based implant that not only exfiltrates data but also provides a backdoor for long-term control over the device. This program can execute commands, take screenshots, browse the file system, and steal browser passwords.
Confucius has been active since 2013, focusing its attacks on government institutions, military structures, and strategic enterprises in South Asia, particularly in Pakistan. The group is known for its flexibility: quickly changing tactics, infrastructure, and malicious tools while avoiding detection. The shift from simple data theft to backdoors shows their focus on long-term espionage and monitoring.
The latest Confucius campaign highlights the growing danger from well-organized groups that combine classic techniques with new tools to increase attack resilience. The use of WooperStealer and Anondoor demonstrates hackers’ ambitions for long-term persistence in networks, posing a particular threat to government agencies and defense enterprises.
