Confucius Hackers Targeting Governments & Militaries with Wooperstealer

A persistent cyber threat group known as Confucius, active at least since 2013 and first uncovered by foreign security vendors in 2016, continues to evolve its attack techniques, now employing a sophisticated modular backdoor and the data-stealing malware dubbed “wooperstealer.”

The group’s targets over the years have included government agencies, military units, and critical industries primarily across South Asia and East Asia, and more recently within its own borders.

The latest findings from the Knowsec 404 Advanced Threat Intelligence Team reveal that Confucius is utilizing a newly weaponized backdoor, internally referenced by the string “anon” and thus named “anondoor.”

This malware is notable for its transition to persistent operations via a componentized backdoor, replacing previous methods that relied on scripts to maintain persistence.

Technical Innovation: Modularity and Evasion

The new malware distinguishes itself by evolving from simple downloaders to a multi-component backdoor architecture.

In the recent attacks observed by researchers, persistence has shifted from being managed by initial stage script (such as through .LNK files that write to the registry for auto-starting purposes) to being directly controlled by anondoor, the upgraded downloader Trojan.

Anondoor orchestrates the download and execution of payloads, including the Wooperstealer component, whose server configuration is dynamically passed in as a parameter at runtime.

This means the malware itself never embeds hard-coded command and control (C2) addresses, making traditional detection strategies less effective.

The malware also ensures persistence by creating a scheduled task titled “SystemCheck” and injecting into legitimate processes such as Python’s pythonw.exe.

Once installed, Anondoor collects a wide array of system information, OS version, public and private IPs, host name, disk information, and even extracts firmware data from the host to generate a unique hash-based identifier for tracking.

Sophisticated C2 and Defense Evasion

Confucius’s latest toolkit also introduces a parameterized C2 communication mechanism, where all backdoor functions are loaded and executed only after downloading the necessary modules from a server.

The backdoor’s instructions are parsed and executed in a modular fashion, with each command specifying a module ID, a command type, command data, and a URL for further downloads.

These innovations allow attackers to keep their real infrastructure hidden and to adapt quickly even if some components are exposed.

Notably, the use of encapsulated C# DLLs for backdoor components, which are loaded dynamically at runtime using reflection, makes detection by antivirus software or sandboxes extremely challenging.

As of now, detection rates for this framework remain at zero, highlighting the technical sophistication and operational security practiced by the Confucius group.

In summary, Confucius has rapidly advanced from simple malware deployment to a highly modular and orchestrated cyberespionage platform, posing a significant threat to critical infrastructure and government targets not only in Asia but potentially worldwide.

The group’s continued investment in advanced evasion techniques and modular malware design ensures that defenders must constantly adapt to keep pace.

Researchers advise heightened vigilance and the use of behavioral, rather than signature-based, defenses to counter these evolving threats.

IOC

HASH:

abefd29c85d69f35f3cf8f5e6a2be76834416cc43d87d1f6643470b359ed4b1b