• UnsolicitedBooker Targets Central Asian Telecoms With LuciDoor and MarsSnake Backdoors The threat activity cluster known asUnsolicitedBookerhas been observed targeting telecommunications companies in Kyrgyzstan and Tajikistan, marking a shift from prior attacks aimed at Saudi Arabian entities. • The attacks involve the deployment of two distinct backdoors codenamed LuciDoor and MarsSnake, according to a report published by Positive Technologies last week. • “The group used several unique and rare instruments of Chinese origin,” researchers Alexander Badaev and Maxim Shamanovsaid. • UnsolicitedBooker wasfirst documentedby ESET in May 2025, attributing the China-aligned threat actor to a cyber attack targeting an unnamed international organization in Saudi Arabia with a backdoor dubbed MarsSnake. • The group is assessed to be active since at least March 2023 and has a history of targeting organizations in Asia, Africa, and the Middle East. • Further analysis of the threat actor has uncovered tactical overlaps with two other clusters, including Space Pirates and an as-yet-unattributed campaign targeting Saudi Arabia with another backdoor referred to as Zardoor.

Article Summaries:

  • UnsolicitedBooker, a threat‑actor cluster previously focused on Saudi Arabian targets, has shifted its focus to telecommunications firms in Kyrgyzstan and Tajikistan. Positive Technologies released a report last week detailing the group’s use of two new backdoors, codenamed LuciDoor and MarsSnake, to infiltrate and maintain persistence within the affected networks. The attacks represent a geographic pivot for the actors and introduce additional malware components that could expand their operational reach. Security analysts note that the deployment of these backdoors underscores the evolving tactics of state‑aligned threat groups in the Central Asian region.
  • UnsolicitedBooker, a China‑aligned threat cluster first noted in May 2025, has shifted focus from Saudi Arabian targets to telecommunications firms in Kyrgyzstan and Tajikistan. Russian vendor Positive Technologies reports the group deployed two backdoors-LuciDoor and MarsSnake-via phishing emails that contain Office documents or decoy links. The malicious macros drop C++ loaders (LuciLoad or MarsSnakeLoader) which install the backdoors, enabling encrypted data exfiltration, command execution, and file manipulation. The attackers also used rare Chinese‑origin tools and tactics similar to other clusters such as Space Pirates. The campaign demonstrates a continued, evolving use of sophisticated, low‑profile malware in Central Asia.

Sources: