Confucius Windows espionage campaign shifts to Python backdoors
Campaign
Summary
Hide ▲
Show ▼
Confucius shifted its Windows espionage campaign from document stealers to Python-based backdoors, expanding its ability to persist and steal data. The operation targeted government agencies, defense contractors, and critical industries across South Asia, especially Pakistan. The change matters because the new tooling supports long-term access, command execution, and browser-password dumping.
Related Happenings
Webworm multi-country targeting campaign against government and enterprise victims
Campaign
First: 20.05.2026 15:51
Last: 20.05.2026 15:51
Sources 1
About this happening:
**Webworm** is running a **multi-country targeting campaign** against **government agencies and enterprises**, expanding the risk of persistent access across several regions. The...
Webworm multi-country targeting campaign against government and enterprise victims
CampaignAbout this happening: **Webworm** is running a **multi-country targeting campaign** against **government agencies and enterprises**, expanding the risk of persistent access across several regions. The...
Major South Korean electronics manufacturer hit by data theft breach
Incident
First: 14.05.2026 00:59
Last: 14.05.2026 00:59
Sources 1
About this happening:
A **major South Korean electronics manufacturer** suffered a **week-long intrusion** in **February 2026**, giving attackers time to conduct **reconnaissance**, **credential theft*...
Major South Korean electronics manufacturer hit by data theft breach
IncidentAbout this happening: A **major South Korean electronics manufacturer** suffered a **week-long intrusion** in **February 2026**, giving attackers time to conduct **reconnaissance**, **credential theft*...
MuddyWater broad cyber-espionage campaign across sectors and countries
Campaign
First: 14.05.2026 00:59
Last: 14.05.2026 00:59
Sources 1
About this happening:
**MuddyWater** was tied to a **2026 espionage campaign** affecting **at least nine organizations** across **nine countries** on **four continents**, with victims in **industrial a...
MuddyWater broad cyber-espionage campaign across sectors and countries
CampaignAbout this happening: **MuddyWater** was tied to a **2026 espionage campaign** affecting **at least nine organizations** across **nine countries** on **four continents**, with victims in **industrial a...
MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy
Campaign
First: 06.05.2026 16:02
Last: 06.05.2026 16:02
Sources 1
About this happening:
The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...
MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy
CampaignAbout this happening: The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...
GopherWhisper China-aligned APT campaign targeting Mongolian government institutions
Campaign
First: 23.04.2026 12:04
Last: 23.04.2026 12:04
Sources 1
About this happening:
The **GopherWhisper** campaign is a **China-aligned APT operation** targeting **Mongolian governmental institutions**, and it now appears to extend beyond a single compromise to *...
GopherWhisper China-aligned APT campaign targeting Mongolian government institutions
CampaignAbout this happening: The **GopherWhisper** campaign is a **China-aligned APT operation** targeting **Mongolian governmental institutions**, and it now appears to extend beyond a single compromise to *...
Timeline
-
02.10.2025 16:45 2 articles · 7mo ago
FortiGuard Labs reports Confucius Windows campaign shift to Python backdoors
Technical Analysis UpdateFortiGuard Labs reports that Confucius, a long-running cyber-espionage group targeting Microsoft Windows users in South Asia, shifted from WooperStealer-style document theft to AnonDoor Python backdoors. The group’s observed attack chains used spear-phishing with malicious Office documents and LNK files, DLL side-loading, obfuscated PowerShell scripts, and scheduled tasks to maintain persistence and evade detection, while targeting government agencies, defense contractors, and critical industries in Pakistan. The observed operations spanned December 2024 to August 2025.
Show sources
- Confucius Shifts from Document Stealers to Python Backdoors — www.infosecurity-magazine.com — 02.10.2025 16:45
- Confucius Shifts from Document Stealers to Python Backdoors — www.infosecurity-magazine.com — 02.10.2025 16:45