Confucius Group Evolves: Researcher Uncovers New Modular Backdoor “Anondoor” in Latest Espionage Campaign

The Confucius APT group—long associated with cyber-espionage operations targeting government and military organizations in South and East Asia—has resurfaced with a newly upgraded attack chain. Researchers at Knownsec 404 Advanced Threat Intelligence Team have uncovered a sophisticated new modular backdoor framework dubbed “Anondoor”, designed to deliver customized espionage payloads and evade traditional sandbox detection.

“This weapon not only loaded the wooperstealer that was used in the ADS attack in 2024, but also upgraded the previous stage of the downloader Trojan to a componentized backdoor,” the report states.

Knownsec’s analysis reveals a sharp evolution in Confucius’s TTPs (tactics, techniques, and procedures). Unlike earlier campaigns that relied on basic download-and-execute Trojans, this iteration introduces:

• A new modular C# backdoor named “Anondoor”
• Dynamic, parameterized C2 infrastructure
• Sandbox evasion through on-demand component loading
• Embedded delivery of Wooperstealer, their custom credential-stealing tool

“The backdoor component is encapsulated in a C# DLL file and evaded sandbox detection by loading the specified method through invoke,” the report explains.

The campaign starts with a malicious .lnk file. When executed, it downloads multiple payloads:

• python313.dll → Anondoor backdoor
• BlueAle.exe → Legitimate pythonw.exe, used to sideload and execute Anondoor

Anondoor then sets up persistence by scheduling BlueAle.exe to run as a Windows task named SystemCheck.

Once active, Anondoor collects detailed host system information, including:

• OS version
• Public and local IP
• Host and user names
• Disk layout and size
• System firmware UUID via the ACPI table

This data is concatenated using uhhg$!!$ and sent to the attacker’s server. A custom hash algorithm is used to create a persistent UUID fingerprint for each victim device.

Instead of hardcoded URLs, Anondoor uses a dynamic retrieval process:

1. It contacts the C2 with: autonbfgj=base64-encode(%UUID%+”[@]AutoDownload[@]”)
2. The server responds with 4 delimited data blocks:
   • UUID
   • Download directive (e.g., “AutoDownload”)
   • Component URL metadata
   • Execution command (e.g., “start” or “stop”)

If a component needs to be launched, Anondoor downloads it and executes the method Yretisdkjhsfkjfh, passing in a long concatenated string of control data.

“The downloaded component is the previously exposed wooperstealer, and its functions have not undergone significant changes.”

Anondoor fetches its backdoor commands using the format: cuud=base64_encode(%UUID% + “$!!$khfgsh”).

The server responds with commands in a custom format that includes:

• Module ID
• Command type
• Download URL for backdoor component

If instructed, Anondoor downloads and executes additional C# modules on the fly. This architecture supports a wide range of espionage activities while maintaining a lightweight, stealthy initial footprint.

A key innovation is how all C2 communication parameters are passed dynamically, making sandboxing and static detection extremely difficult. This strategy also allows the attacker to swap out backend infrastructure on demand, impeding traceability.

“Even if some components are captured, attackers can still hide the real C2 infrastructure, which greatly increases the difficulty of traceability and defense,” the report concludes.

Related Posts:

• Windows Sandbox Gets Supercharged: Clipboard and File Sharing Arrive
• Modular Java Backdoor Emerges in Cleo Exploitation Campaign (CVE-2024-50623)
• South Korean government: no ban bitcoin trading in the near feature