Central Asian Telecoms Hit by LuciDoor and MarsSnake Backdoors: UnsolicitedBooker's Latest Threat

Post Views: 8

UnsolicitedBooker Targets Central Asian Telecoms with Custom Backdoors

A recent report from Positive Technologies has shed light on a series of targeted attacks against telecommunications companies in Kyrgyzstan and Tajikistan. The threat actor behind these attacks, known as UnsolicitedBooker, has been observed using two distinct backdoors, codenamed LuciDoor and MarsSnake.

UnsolicitedBooker’s History and Tactics

UnsolicitedBooker, first identified by ESET in May 2025, is believed to be a China-aligned threat actor that has been active since at least March 2023. The group has a history of targeting organizations in Asia, Africa, and the Middle East, with a focus on Saudi Arabian entities.

LATEST ATTACKS

The latest attacks, which took place in late September and November 2025, involved phishing emails containing malicious Microsoft Office documents. These documents, when opened, instructed recipients to enable content, allowing a malicious macro to execute and drop a C++ malware loader called LuciLoad. LuciLoad, in turn, delivered the LuciDoor backdoor.

LuciDoor Backdoor

LuciDoor, written in C++, establishes communication with a command-and-control (C2) server, collects basic system information, and exfiltrates the data to the server in encrypted format. The backdoor can also parse responses sent by the server to run commands using cmd.exe, write files to the system, and upload files.

MarsSnake Backdoor

In a separate attack, UnsolicitedBooker used a different loader, codenamed MarsSnakeLoader, to deploy the MarsSnake backdoor. MarsSnake allows attackers to harvest system metadata, execute arbitrary commands, and read or write any file on disk.

Notably, Positive Technologies found evidence that MarsSnake was used in attacks targeting China. The starting point for these attacks was a Windows shortcut masquerading as a Microsoft Word document, which triggered the execution of a batch script to launch a Visual Basic Script and deploy MarsSnake without the loader component.

Connections to Other Threat Actors

UnsolicitedBooker’s tactics, techniques, and procedures (TTPs) have been observed to overlap with those of two other threat actor clusters, including Space Pirates and an unattributed campaign targeting Saudi Arabia with a backdoor referred to as Zardoor.

Other Related Threat Actors

In related news, a previously unknown threat actor, referred to as PseudoSticky, has been targeting Russian organizations in the retail, construction, and research sectors with malware like RemcosRAT and DarkTrack RAT. PseudoSticky’s TTPs have been observed to mimic those of a pro-Ukrainian hacking group called Sticky Werewolf.

Russian entities have also been targeted by another hacking group called Cloud Atlas, using phishing emails bearing malicious Word documents to distribute custom malware known as VBShower and VBCloud.