Confucius Espionage: From Stealer to Backdoor

    Monday, October 6, 2025 In: Threat Research Print

    Date: 10/06/2025

    Severity: Medium

    Summary

    The Confucius group is a long-standing cyber-espionage actor active mainly in South Asia, particularly targeting Pakistan. Since its discovery in 2013, the group has evolved significantly, shifting from early tools like document stealers (e.g., WooperStealer) to more advanced tactics, including Python-based backdoors such as AnonDoor.

    Indicators of Compromise (IOC) List

    URLs/Domains

    marshmellowflowerscar.info

    greenxeonsr.info

    cornfieldblue.info

    hauntedfishtree.info

    petricgreen.info

    bloomwpp.info

    dropmicis.info

    martkartout.info

    Hash : 

    c91917ff2cc3b843cf9f65e5798cd2e668a93e09802daa50e55a842ba9e505de

    5a0dd2451a1661d12ab1e589124ff8ecd2c2ad55c8f35445ba9cf5e3215f977e

    4206ab93ac9781c8367d8675292193625573c2aaacf8feeaddd5b0cc9136d2d1

    8603b9fa8a6886861571fd8400d96a705eb6258821c6ebc679476d1b92dcd09e

    24b06b5caad5b09729ccaffa5a43352afd2da2c29c3675b17cae975b7d2a1e62

    13ca36012dd66a7fa2f97d8a9577a7e71d8d41345ef65bf3d24ea5ebbb7c5ce1

    06b8f395fc6b4fda8d36482a4301a529c21c60c107cbe936e558aef9f56b84f6

    11391799ae242609304ef71b0efb571f11ac412488ba69d6efc54557447d022f

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "greenxeonsr.info" or siteurl like "greenxeonsr.info" or url like "greenxeonsr.info" or domainname like "hauntedfishtree.info" or siteurl like "hauntedfishtree.info" or url like "hauntedfishtree.info" or domainname like "marshmellowflowerscar.info" or siteurl like "marshmellowflowerscar.info" or url like "marshmellowflowerscar.info" or domainname like "bloomwpp.info" or siteurl like "bloomwpp.info" or url like "bloomwpp.info" or domainname like "cornfieldblue.info" or siteurl like "cornfieldblue.info" or url like "cornfieldblue.info" or domainname like "petricgreen.info" or siteurl like "petricgreen.info" or url like "petricgreen.info" or domainname like "dropmicis.info" or siteurl like "dropmicis.info" or url like "dropmicis.info" or domainname like "martkartout.info" or siteurl like "martkartout.info" or url like "martkartout.info"

    Detection Query 2 :

    sha256hash IN ("8603b9fa8a6886861571fd8400d96a705eb6258821c6ebc679476d1b92dcd09e","5a0dd2451a1661d12ab1e589124ff8ecd2c2ad55c8f35445ba9cf5e3215f977e","4206ab93ac9781c8367d8675292193625573c2aaacf8feeaddd5b0cc9136d2d1","c91917ff2cc3b843cf9f65e5798cd2e668a93e09802daa50e55a842ba9e505de","24b06b5caad5b09729ccaffa5a43352afd2da2c29c3675b17cae975b7d2a1e62","13ca36012dd66a7fa2f97d8a9577a7e71d8d41345ef65bf3d24ea5ebbb7c5ce1","06b8f395fc6b4fda8d36482a4301a529c21c60c107cbe936e558aef9f56b84f6","11391799ae242609304ef71b0efb571f11ac412488ba69d6efc54557447d022f")

    Reference:

    https://www.fortinet.com/blog/threat-research/confucius-espionage-from-stealer-to-backdoor


    Tags

    MalwareThreat ActorConfuciusCyber EspionageSouth AsiaPakistanWooperStealerDocument StealersPythonBackdoorAnonDoor

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.