Confucius gang strikes again
The Confucius hacking gang, infamous for its cyber-espionage operations and alleged state-sponsored links, has advanced its attack tactics in recent times, shifting from document stealers such as WooperStealer to advanced Python-based backdoors like AnonDoor malware.
The testimony to this is the December 2024 campaign, which showed the gang’s highly advanced engineering methods, using phishing emails via malicious PowerPoint presentations (Document.ppsx) that showed "Corrupted Page” notification to victims.
Attack tactic
“The group has demonstrated strong adaptability, layering obfuscation techniques to evade detection and tailoring its toolset to align with shifting intelligence-gathering priorities. Its recent campaigns not only illustrate Confucius’ persistence but also its ability to pivot rapidly between techniques, infrastructure, and malware families to maintain operational effectiveness,” FortiGuard Labs said.
The infected file consisted of embedded OLE objects that prompted a VBScript command from remote infrastructure, starting a malicious chain.
FortiGuard Labs discovered how this gang has attacked Office documents and infected LNK files to damage Windows systems throughout the South Asian region, including organizations in Pakistan. The attack tactic uses DLL side-loading; the malware imitates genuine Windows commands such as fixmapi.exe, to user directories for persistence.
About LNK-based attacks
Earlier this year, Confucius moved to disguise infected LNK files as genuine documents such as “Invoice_Jan25.pdf.lnk.” These documents trigger PowerShell commands that install an infected DLL and fake PDF documents via remote servers, creating a disguised, authentic file access while building backdoor access.
These files execute PowerShell commands that download malicious DLLs and decoy PDF documents from remote servers, maintaining the illusion of legitimate file access while establishing backdoor access. The downloaded DLL makes persistence channels and creates Base64-coded remote host addresses for payload deployment.
Findings
The study found that the final payload remained WooperStealer, modified to extract different file types such as archives, images, documents, and email files with different extensions.
One major development happened in August 2025 with AnonDoor, an advanced Python-based backdoor, different from older NET-based tools.
Plan forward
According to Fortinet, “the layered attack chain leverages encoded components, DLL side-loading, and scheduled task persistence to secure long-term access and exfiltrate sensitive data while minimizing visibility.”
Organizations are advised to be vigilant against different attack tactics, as cyber criminal gangs keep evolving their methods to escape detection.
