China-Based Hackers Linked to the Discovery of a New Cyber Weapon in Saudi Arabia: “MarsSnake”
China-Based Hackers Linked to the Discovery of a New Cyber Weapon in Saudi Arabia: “MarsSnake”
An international organization in Saudi Arabia was the victim of a highly targeted operation launched by a cyber-espionage group known as “UnsolicitedBooker,” which is associated with China. Over the course of three years, the group conducted numerous intrusion attempts using a newly found malware called MarsSnake and a clever phishing technique, exposing a persistent and dynamic danger. The results, which illustrate the wider reach of Chinese cyber activities throughout Asia, the Middle East, and Africa, are from a recent research published by cybersecurity firm ESET.
Anatomy of a Cyber Attack: Flight Tickets, Macros, and Malware
The assault effort, which was discovered in March 2023 and was carried out again in 2024 and January 2025, used spear-phishing emails that looked like Saudia Airlines flight confirmations. The emails included a malicious Microsoft Word attachment that contained a weaponized VBA macro instead of a flight schedule. When this macro was run, a program called smssdrvhost.exe — a loader for the MarsSnake backdoor — was released.
Concerns over the appropriation of trustworthy internet resources into state-sponsored cyber operations were raised after an examination linked the content of the spoof document to a PDF that was made publicly accessible on the Academia.edu platform. Once installed, the MarsSnake malware grants complete remote access for espionage purposes by connecting to a command-and-control server (contact.decenttoy[.]top).
MarsSnake and Its Siblings: The Evolving Arsenal of UnsolicitedBooker
MarsSnake joins a recognized list of espionage backdoors that UnsolicitedBooker has used, such as the malware families BeRAT, Poison Ivy, DeedRAT, and Chinoxy, which are commonly linked to Chinese threat actors. Numerous behavioral similarities between UnsolicitedBooker and threat clusters such as Space Pirates and other unattributed operations—including one that previously used the Zardoor backdoor against an Islamic NGO in Saudi Arabia—were noted by ESET researchers.
The sophistication of the campaign, especially its persistence over a multi-year period, suggests strategic objectives beyond mere data theft. Analysts speculate it could be linked to geopolitical interests in the Middle East, particularly given the target’s regional significance and recurring selection for attack.
These campaigns represent a tactical blend of social engineering and code-level obfuscation, exploiting not only technological vulnerabilities but also institutional trust in digital communications.
Global Reach: China’s Cyber Tentacles Extend Across Continents
The MarsSnake incident isn’t isolated. Coordinated campaigns by other organizations with ties to China, such as PerplexedGoblin (APT31) and DigitalRecyclers (APT15), are also described in the paper. In December 2024, PerplexedGoblin used NanoSlate, an espionage backdoor designed for covert data exfiltration, to target a government in Central Europe.
DigitalRecyclers has persisted in attacking EU government agencies in the interim. This gang, which has been known since at least 2018, has a sophisticated VPN relay system called KMA ORB and has installed implants like GiftBox, HydroRShell, and RClient. One noteworthy development is HydroRShell, which encrypts its communications using Google’s Protobuf and Mbed TLS libraries, making discovery and attribution much more difficult.
According to the report, “DigitalRecyclers probably functions under the Ke3chang and BackdoorDiplomacy umbrella, representing a constellation of Chinese cyber actors with complementary toolkits.”
About The Author:
Yogesh Naager is a content marketer who specializes in the cybersecurity and B2B space. Besides writing for the News4Hackers blogs, he also writes for brands including Craw Security, Bytecode Security, and NASSCOM.
READ MORE HERE
e-Zero FIR launched by Home Minister Amit Shah to Fasten Action against cybercriminals
48 Hours of Panic, 7 Crore Lost: The Industry-Shocking Scam
About Author
English