Confucius Hackers Deploy WooperStealer Malware in Attacks on Government and Military Sectors

The notorious Confucius cyber espionage group, first identified by security vendors in 2016 and believed to have been active since at least 2013, has escalated its activities targeting government and military entities across South Asia and East Asia.

Recent investigations by the Knowsec 404 Advanced Threat Intelligence Team have uncovered a newly developed modular backdoor technique in the group’s arsenal, marking a significant evolution from their earlier, less sophisticated attack chains.

Anondoor: A New Layer of Stealth and Persistence

In their latest campaign, Confucius has been observed using a multi-stage attack chain that demonstrates advanced persistence and stealth capabilities.

The infection sequence begins with a malicious LNK file, which, when executed, downloads several components from the attacker’s infrastructure.

Among the downloaded files, “python313.dll” stands out as the core of the new modular backdoor system, dubbed “anondoor” by researchers, while “BlueAle.exe” masquerades as a legitimate Python executable to avoid detection.

Unlike previous iterations where persistence mechanisms resided in simple scripts such as establishing startup registry keys this new approach embeds persistence within the downloader Trojan itself.

BlueAle.exe is written into a scheduled task called “SystemCheck,” ensuring that malicious activity survives system reboots and continues running with minimal visibility.

Stealer-as-a-Service

A defining innovation in this campaign is the tight coupling between the anondoor backdoor and a familiar data-stealing payload known as WooperStealer, which featured previously in high-profile attacks such as the 2024 ADS incident.

Rather than hardcoding command and control (C2) addresses within WooperStealer, the attackers now relay this crucial information dynamically through anondoor parameters, making static analysis and blocking of C2 infrastructure significantly more challenging.

Upon execution, anondoor initiates comprehensive system reconnaissance harvesting host operating system details, network information, disk statistics, and unique identifiers derived from system firmware and user data.

This telemetry is then encoded and exfiltrated to attacker-controlled servers, assisting in victim profiling and further staging of attacks.

Subsequent payloads, including WooperStealer, are fetched only if the server issues a specific command.

Each component is loaded dynamically, with communication endpoints and operational instructions passed as parameters via the anondoor loader.

Crucially, each module is encapsulated in a C# DLL, with key methods invoked on-demand, frustrating traditional sandbox environments and detection technologies.

The sophisticated command-and-control protocol implemented within anondoor enables the attackers to modularly orchestrate their backdoor’s capabilities.

Command formats are carefully obfuscated and base64-encoded, with specific “module_id” and “commandType” identifiers, further shielded by unique parameters and download URLs.

Notably, the correct execution of each function relies on downloading additional modules, hampering both static and behavioral analysis while allowing the attacker to update or disable functionalities remotely.

Researchers note that, as of the latest analysis, antivirus detection for these components remains negligible, underlining the advanced evasion techniques employed by Confucius.

The organization’s adoption of parameterized C2 channels and reliance on dynamic method invocation in modular DLLs not only complicates attribution and shutdown of their infrastructure but also demonstrates a marked progression in technical sophistication.

With Confucius regularly targeting national defense, government, and critical infrastructure sectors, defenders are urged to monitor for suspicious task scheduling, analyze anomalous DLL loading behaviors, and update their threat intelligence feeds with indicators from this campaign.

Indicators of Compromise (IOC)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates

The post Confucius Hackers Deploy WooperStealer Malware in Attacks on Government and Military Sectors appeared first on Cyber Security News.