Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
MalwareUsed by 1 actor

WooperStealer

WooperStealer is a document-stealing infostealer used by the Confucius cyber-espionage group in campaigns targeting Pakistan. Fortinet/FortiGuard reporting describes it as a Windows payload delivered in multiple phishing-driven intrusion chains from at least December 2024 through March 2025, before Confucius shifted toward the Python-based AnonDoor backdoor. Observed initial access vectors included a malicious .PPSX attachment with an embedded OLE object and later malicious .LNK files disguised as documents. In both cases, the malware was delivered through DLL side-loading using a copied or renamed legitimate fixmapi.exe binary, with malicious mapistub.dll components acting as staging or loader elements. Reported renamed executables included Swom.exe and BlueAle.exe.

WooperStealer was identified in one chain by the string "Class1.Wooper" and was configured to enumerate logical drives and collect a broad set of victim files, especially documents, images, email data, and archives. Reported targeted extensions included formats such as .pdf, .docx, .xlsx, .pst, .zip, .rar, as well as .txt, .doc, .xls, .png, .jpeg, and .ppt. In the March 2025 activity, Fortinet noted minor modifications to the targeted extension list. The malware exfiltrated stolen data to attacker-controlled infrastructure, including hxxp://marshmellowflowerscar[.]info, and in one observed variant used HTTP POST parameters containing victim identifiers in the form <SerialNumber><ComputerName><UserName>, along with file path and file hash values to avoid duplicate uploads.

Associated infrastructure and related delivery/staging domains mentioned in the reporting include greenxeonsr[.]info, cornfieldblue[.]info, hauntedfishtree[.]info, petricgreen[.]info, and marshmellowflowerscar[.]info. The campaigns were attributed to Confucius, a long-running South Asia-focused espionage actor active since at least 2013, reported to have repeatedly targeted government agencies, military organizations, defense contractors, and critical industries, especially in Pakistan.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Confucius

"One of the attack chains documented by Fortinet targeted users in Pakistan sometime in December 2024, tricking recipients into opening a .PPSX file, which then triggers the delivery of WooperStealer using DLL side-loading techniques."

via the hacker newsthehackernews.com
MITRE ATT&CK

Techniques & procedures

1 distinct technique documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1566.001Spearphishing AttachmentEvidence1

"weaponized attachments distributed via phishing emails"; "phishing email contained a ZIP file"; "malicious ICS files"; "malicious SVG files"

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
security online infoNews
Oct 3, 2025
Confucius APT Evolves: Espionage Group Shifts from WooperStealer to Advanced Python Backdoor AnonDoor

Confucius APT Evolves: Espionage Group Shifts from WooperStealer to Advanced Python Backdoor AnonDoor

Read more
scworldNews
Oct 3, 2025
Confucius threat group shifts tactics from infostealers to backdoors

Document-stealing infostealer used to collect targeted file types (e.g., .txt, .pdf, .doc, .xls, .png, .jpeg, .ppt, .zip) and exfiltrate them to a remote URL. Delivered via lure documents/LNK attachments with staged components and DLL sideloading into a renamed fixmapi.exe.

Read more
fortinet threat researchNews
Oct 2, 2025
Confucius Espionage: From Stealer to Backdoor | FortiGuard Labs

Information-stealing malware used by Confucius to enumerate drives, collect targeted document/archive/email file types, and exfiltrate them to attacker-controlled infrastructure. In later samples it uses POST uploads with victim identifiers and a file-hash check to avoid re-uploading duplicates.

Read more
dark readingNews
Oct 2, 2025
'Confucius' Cyberspy Evolves From Stealers to Backdoors in Pakistan

Information-stealing malware used by the Confucius APT as an ultimate payload in earlier campaigns against Pakistani targets, delivered via spear-phishing chains involving malicious documents and (in some cases) DLL sideloading and LNK files.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping1

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.