Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Confucius. Show all posts
Windows
AnonDoor Confucius espionage malware Windows

Confucius Espionage: Gang Hijacks to Attack Windows Systems Via Malware


Confucius gang strikes again

The Confucius hacking gang, infamous for its cyber-espionage operations and alleged state-sponsored links, has advanced its attack tactics in recent times, shifting from document stealers such as WooperStealer to advanced Python-based backdoors like AnonDoor malware. 

The testimony to this is the December 2024 campaign, which showed the gang’s highly advanced engineering methods, using phishing emails via malicious PowerPoint presentations (Document.ppsx) that showed "Corrupted Page” notification to victims. 

Attack tactic

“The group has demonstrated strong adaptability, layering obfuscation techniques to evade detection and tailoring its toolset to align with shifting intelligence-gathering priorities. Its recent campaigns not only illustrate Confucius’ persistence but also its ability to pivot rapidly between techniques, infrastructure, and malware families to maintain operational effectiveness,” FortiGuard Labs said.

The infected file consisted of embedded OLE objects that prompted a VBScript command from remote infrastructure, starting a malicious chain.

FortiGuard Labs discovered how this gang has attacked Office documents and infected LNK files to damage Windows systems throughout the South Asian region, including organizations in Pakistan. The attack tactic uses DLL side-loading; the malware imitates genuine Windows commands such as fixmapi.exe, to user directories for persistence. 

About LNK-based attacks

Earlier this year, Confucius moved to disguise infected LNK files as genuine documents such as “Invoice_Jan25.pdf.lnk.” These documents trigger PowerShell commands that install an infected DLL and fake PDF documents via remote servers, creating a disguised, authentic file access while building backdoor access.

These files execute PowerShell commands that download malicious DLLs and decoy PDF documents from remote servers, maintaining the illusion of legitimate file access while establishing backdoor access. The downloaded DLL makes persistence channels and creates Base64-coded remote host addresses for payload deployment. 

Findings

The study found that the final payload remained WooperStealer, modified to extract different file types such as archives, images, documents, and email files with different extensions.

One major development happened in August 2025 with AnonDoor, an advanced Python-based backdoor, different from older NET-based tools.

Plan forward

According to Fortinet, “the layered attack chain leverages encoded components, DLL side-loading, and scheduled task persistence to secure long-term access and exfiltrate sensitive data while minimizing visibility.” 

Organizations are advised to be vigilant against different attack tactics, as cyber criminal gangs keep evolving their methods to escape detection. 

Read more »
SunBird
APT Confucius Cyber Security Hornbill SunBird

Researchers Spotted Two Android Spyware Linked to Confucius

 

Researchers at cybersecurity firm Lookout have published information on two recently discovered Android spyware families utilized by an advanced persistent threat (APT) group named Confucius. Lookout said that two malware strains, named Hornbill and SunBird, have been linked to Confucius, a group thought to be state-sponsored and to have pro-India ties. 

First detected in 2013, Confucius has been linked to assaults against government entities in Southeast Asia, as well as targeted strikes against Pakistani military personnel, Indian election officials, and nuclear agencies. “Hornbill and SunBird have both similarities and differences in the way they operate on an infected device” reads the report published by Lookout. “While SunBird features remote access trojan (RAT) functionality – a malware that can execute commands on an infected device as directed by an attacker – Hornbill is a discreet surveillance tool used to extract a selected set of data of interest to its operator.” 

The team's analysis of the malware recommends that Hornbill is based on MobileSpy, a commercial stalker ware application for remotely observing Android gadgets that were retired in 2018. SunBird, however, seems to have a comparable codebase to BuzzOut, an old type of spyware created in India. Confucius was known to have utilized ChatSpy for surveillance purposes back in 2017, yet it is felt that both Hornbill and SunBird originated before this malware. There doesn't appear to be any new campaigns utilizing SunBird–accepted to have been in active development between 2016 and early 2019; in any case, Hornbill has been found in a rush of assaults dating from December 2020. 

Both malware variations, however, can steal information including gadget identifiers, call logs, WhatsApp voice notes, contact records, and GPS location information. Also, they can request administrator privileges on an undermined gadget, take screenshots and photographs, and record sound both when calls are taking place or just as environmental noise. SunBird's abilities go past Hornbill's as this malware is likewise ready to grab browser histories, calendar information, BlackBerry Messenger (BBM) content, and more extensive WhatsApp content including documents, databases, and pictures. SunBird will likewise attempt to upload stolen information to a command-and-control (C2) server at more normal spans than Hornbill.
Read more »
Subscribe to: Posts (Atom)