Confucius Cyber-Espionage Group Evolves Tactics with Advanced Python Backdoor
Cyber-espionage group Confucius, active since 2013, has evolved its tactics, shifting from document-focused stealers to advanced Python-based backdoors. Its latest tool, AnonDoor, provides long-term access and stealthy data exfiltration, with a focus on Pakistani targets.
Initially, Confucius used spear-phishing with malicious Office documents and LNK files to deliver WooperStealer, which stole sensitive files. To evade detection, the group employed methods such as DLL side-loading, obfuscated PowerShell scripts, scheduled tasks, and stealthy exfiltration routines. By mid-2025, Confucius began deploying AnonDoor, a Python backdoor offering long-term persistence and command execution.
AnonDoor can capture screenshots, list files, download data, and dump browser passwords. It also performs full host profiling, collecting system details, geolocating public IPs, and inventorying disk volumes before receiving commands from its C2 servers. This evolution demonstrates Confucius' technical agility, as it can quickly pivot between different malware families and delivery methods to sustain access.
Confucius' shift to advanced Python-based backdoors like AnonDoor indicates a clear evolution towards more durable, stealthy espionage operations. With a regional focus on Pakistan, the group continues to pose a significant threat to government agencies, defense contractors, and critical industries in South Asia.
Read also:
- Trump announces Chinese leader's confirmation of TikTok agreement
- SpaceX & T-Mobile Activate Starlink for Hurricane Helene Connectivity
- Hackers Utilize GOLD SALEM to Infiltrate Networks and Evade Security Measures, Deploying Warlock Ransomware
- Strengthening Resistance Against Combined Risks in an Age Characterized by Authoritarian Technology