"One of the attack chains documented by Fortinet targeted users in Pakistan sometime in December 2024, tricking recipients into opening a .PPSX file, which then triggers the delivery of WooperStealer using DLL side-loading techniques. A subsequent attack wave observed in March 2025 has been found to employ Windows shortcut (.LNK) files to unleash the malicious WooperStealer DLL, again launched using DLL side-loading, to steal sensitive data from compromised hosts."
"Another .LNK file spotted in August 2025 also leveraged similar tactics to sideload a rogue DLL, only this time the DLL paves the way for Anondoor, a Python implant that's designed to exfiltrate device information to an external server and await further tasks to execute commands, take screenshots, enumerate files and directories, and dump passwords from Google Chrome. It's worth noting that the threat actor's use of Anondoor was documented in July 2025 by Seebug's KnownSec 404 Team."
Confucius has repeatedly targeted government agencies, military organizations, defense contractors, and critical industries, with particular focus on Pakistan, using spear-phishing and malicious documents for initial access. The group has been active since 2013 and operates across South Asia. Recent campaigns used WooperStealer and a Python-based backdoor named Anondoor, reflecting evolving tradecraft. Attack chains included .PPSX lure files in December 2024 and .LNK shortcut files in March and August 2025 that employed DLL side-loading to load malicious DLLs. Anondoor exfiltrates device information, executes commands, captures screenshots, enumerates files, and dumps Chrome passwords. The group layers obfuscation to evade detection and tailors tools to intelligence-gathering priorities.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]