Cybersecurity researchers uncovered a new espionage campaign. UnsolicitedBooker attacked telecom companies in Kyrgyzstan and Tajikistan. They deployed two distinct backdoors called LuciDoor and MarsSnake.
Shift in Targeting Focus
The group changed its focus recently. Earlier attacks hit Saudi Arabian organizations. Now they target telecoms in Central Asia. This marks a clear shift in victim selection.
Researchers tracked the activity since March 2023. The actor shows ties to China-aligned operations. They use rare Chinese-origin tools consistently. For example, they share code with other known clusters.
Phishing as Entry Point
UnsolicitedBooker relies on spear-phishing emails. Messages contain malicious Office documents. Victims see a fake telecom tariff plan. The document prompts them to “Enable Content.”
Enabling macros runs hidden malicious code. In September 2025 attacks on Kyrgyzstan, a loader called LuciLoad dropped LuciDoor. November 2025 attacks used MarsSnakeLoader instead. By January 2026, emails switched to embedded links.
LuciDoor is written in C++. It connects to a command-and-control server. The backdoor collects basic system information. It sends data in encrypted format. The server responds with commands. LuciDoor runs them through cmd.exe. It writes files to disk and uploads others. This gives attackers steady remote control.
MarsSnake Backdoor Details
MarsSnake offers similar capabilities. It harvests system metadata. Attackers execute arbitrary commands. It reads and writes any file on disk.
In some attacks, MarsSnake launched without a loader. A Windows shortcut disguised as a Word file started the chain. It ran batch and Visual Basic scripts. These executed MarsSnake directly.
Infrastructure and Tool Origins
Attackers used hacked routers as C2 servers sometimes. Their infrastructure mimicked Russian setups in certain cases. They switched between LuciDoor and MarsSnake. In 2026, they returned to LuciDoor.
The tools show Chinese origin. They overlap with other China-aligned groups. For instance, Deed RAT and Poison Ivy appear in related clusters. This suggests shared resources.
ESET first documented UnsolicitedBooker in May 2025. They attacked an international organization in Saudi Arabia. The group targets government, telecoms, and legal sectors. Victims span Asia, Africa, Middle East, and Europe.
Typical tactics include backdoors like Chinoxy and BeRAT. These tools circulate among China-aligned actors. Therefore, the group fits a wider espionage pattern.
Prevention Strategies
Organizations can reduce these risks with strong layered defenses. First, disable macros by default in Office applications. Train staff to avoid enabling content in unexpected documents. Moreover, use continuous monitoring to detect unusual outbound connections, scheduled tasks, or C2 traffic early.
Block non-essential external links in documents. Enforce strict script execution policies and review logs regularly. These steps significantly lower the success rate of phishing-based backdoor campaigns like those from UnsolicitedBooker.
Sleep well, we got you covered.
