A sophisticated cyber espionage group known as UnsolicitedBooker has dramatically shifted its operational focus, moving from its traditional targets in Saudi Arabia to critical telecommunications infrastructure in Central Asia. Recent intelligence from Positive Technologies reveals that companies in Kyrgyzstan and Tajikistan are now in the crosshairs, facing a barrage of attacks deploying two potent backdoors: LuciDoor and MarsSnake.
A Strategic Pivot: From Riyadh to Bishkek
First brought to light by ESET in May 2025 for its attacks on an international organization in Saudi Arabia using the MarsSnake backdoor, UnsolicitedBooker has been active since at least March 2023. Historically, the China-aligned threat actor has cast a wide net across Asia, Africa, and the Middle East. However, the latest campaign signifies a deliberate geographical reorientation, concentrating its efforts on the vital telecom sectors of Kyrgyzstan and Tajikistan.
Further analysis by cybersecurity experts has also uncovered intriguing tactical overlaps with other notorious clusters, including ‘Space Pirates’ and an unnamed campaign that previously targeted Saudi Arabia with a backdoor known as ‘Zardoor’. This suggests a complex web of shared methodologies or even direct collaboration within the broader cyber threat ecosystem.
Unmasking the Arsenal: LuciDoor and MarsSnake
The LuciDoor Offensive
The recent attacks on Kyrgyz organizations, observed in late September 2025, began with highly deceptive phishing emails. These emails contained malicious Microsoft Office documents, cleverly disguised to appear as telecom provider tariff plans. Victims were prompted to “Enable Content,” unwittingly activating a malicious macro. This macro then stealthily deployed ‘LuciLoad’, a C++ malware loader, which in turn delivered the ‘LuciDoor’ backdoor.
LuciDoor is a formidable C++-written tool designed for deep system compromise. It establishes encrypted communication with a command-and-control (C2) server, siphons basic system information, and exfiltrates it. Crucially, it can parse server responses to execute arbitrary commands via
cmd.exe, write new files to the system, and upload sensitive data.
The MarsSnake Maneuver
A similar attack vector was employed in late November 2025, this time deploying the ‘MarsSnake’ backdoor using a different loader, ‘MarsSnakeLoader’. By January 2026, UnsolicitedBooker had refined its phishing tactics for Tajikistan-based targets, embedding links to decoy documents rather than direct attachments, maintaining the same underlying attack chain.
MarsSnake mirrors LuciDoor’s capabilities, enabling attackers to harvest system metadata, execute commands, and manipulate files on disk. Positive Technologies also noted evidence of MarsSnake’s use in attacks within China itself. Its deployment often begins with a Windows shortcut file (*.doc.lnk) masquerading as a Word document, triggering a batch script that launches a Visual Basic Script to deliver MarsSnake directly, bypassing a loader. This LNK file shares characteristics with a publicly available pentesting tool, FTPlnk_phishing, and notably, a similar LNK file was utilized by the Mustang Panda group in 2022 attacks against Thailand.
Evolving Tactics and Infrastructure
Researchers from Positive Technologies highlighted the group’s preference for “unique and rare instruments of Chinese origin.” They also observed a fascinating tactical evolution: “Interestingly, at the very beginning, the group used a backdoor we dubbed LuciDoor, but later switched to the MarsSnake backdoor. However, in 2026, the group made a U-turn and resumed using LuciDoor.” This indicates a dynamic and adaptive approach to their toolkit.
Furthermore, UnsolicitedBooker’s operational sophistication extends to its infrastructure. In at least one instance, attackers were found leveraging a compromised router as a C2 server, with their infrastructure deliberately mimicking that of Russia in certain attacks – a tactic designed to mislead attribution efforts.
Broader Cyber Landscape: Mimicry and New Threats
This disclosure arrives amidst a backdrop of other significant cyber developments. A new, previously unknown threat actor, dubbed ‘PseudoSticky’, has emerged, actively mimicking the tactics of the pro-Ukrainian hacking group ‘Sticky Werewolf’ (also known as Angry Likho, MimiStick, and PhaseShifters). Since November 2025, PseudoSticky has targeted Russian organizations in retail, construction, and research sectors with malware like RemcosRAT and DarkTrack RAT, aiming for extensive data theft and remote control. Intriguingly, there are suggestions that PseudoSticky may have utilized large language models (LLMs) to develop its attack chains, showcasing an evolving frontier in cyber warfare.
Another group, ‘Cloud Atlas’, has also been observed targeting Russian entities. They employ phishing emails containing malicious Word documents to distribute custom malware, ‘VBShower’ and ‘VBCloud’. These documents load remote templates from C2 servers upon opening, further illustrating the diverse and persistent threats facing organizations globally.
The activities of UnsolicitedBooker, PseudoSticky, and Cloud Atlas underscore a continuously shifting and increasingly complex cyber threat landscape. From strategic geographical pivots to sophisticated toolkits and even the mimicry of other groups, these actors demonstrate a relentless pursuit of their objectives, demanding constant vigilance and robust cybersecurity defenses from organizations worldwide.
For more details, visit our website.
Source: Link
Leave a comment