AnonDoor

AnonDoor is a Python-based backdoor used by the Confucius cyber-espionage group in campaigns observed in 2025, particularly against targets in Pakistan. Reporting describes it as part of Confucius’ shift from document-stealing payloads such as WooperStealer toward longer-term monitoring, persistence, and interactive post-compromise access. Confucius is a long-running South Asia-focused espionage actor active since at least 2013 and has repeatedly targeted government agencies, military organizations, defense contractors, and critical industries, especially in Pakistan.

In the observed August 2025 intrusion chain, AnonDoor was delivered via malicious LNK attachments disguised as PDF documents, including NLC.pdf.lnk. The infection flow used DLL side-loading with a renamed copy of the legitimate Windows utility fixmapi.exe (e.g., BlueAle.exe) to load a malicious DLL, python313.dll. That DLL created a temporary PowerShell script, installed Scoop, configured a Python runtime, downloaded a Python bytecode payload from bloomwpp.info, and wrote it as %LOCALAPPDATA%\winresume.pyc with hidden attributes. Persistence was established through a scheduled task named NetPolicyUpdate that executed %USERPROFILE%\scoop\apps\python\current\pythonw.exe with winresume.pyc every 5 minutes.

AnonDoor performs host and network fingerprinting, including collection of system information, hardware UUID via "wmic csproduct get uuid", public IP discovery through services such as api.ipify.org, ipinfo.io/ip, icanhazip.com, and ifconfig.me/ip, and geolocation through ip-api.com and ipwhois.app. It inventories storage and enumerates drives, and one report notes use of GetDiskFreeSpaceExW and drive enumeration from A to Z. The malware contacts its command-and-control server and supports tasking including command execution, screenshot capture, file and directory listing, file download, folder download, and basic host information collection. Reporting also states it can dump browser credentials, with references to password theft from Firefox and Edge via additional Python tooling; one source also mentions Chrome password dumping. A timestamp file, %TEMP%\wctDD1A.tmp, was used to limit heavier tasks to no more than once every 6 minutes.

Associated infrastructure and indicators mentioned in the reporting include bloomwpp.info as delivery infrastructure for the Python-stage components, and broader campaign IOCs including marshmellowflowerscar.info, greenxeonsr.info, cornfieldblue.info, hauntedfishtree.info, petricgreen.info, dropmicis.info, and martkartout.info. The payload file winresume.pyc is specifically identified as the AnonDoor backdoor.