UnsolicitedBooker Shifts Focus to Central Asia, Deploys LuciDoor and MarsSnake Backdoors in Telecom Attacks

A China-linked threat cluster known as UnsolicitedBooker has dramatically pivoted its cyber espionage operations, shifting from Saudi Arabian targets to strike telecommunications providers in Kyrgyzstan and Tajikistan with sophisticated, rarely-seen malware tools.

The group’s evolving tactics reveal a calculated campaign employing two distinct backdoors—LuciDoor and MarsSnake—delivered through carefully crafted phishing attacks that exploit Microsoft Office macros and weaponized shortcut files.

From Saudi Arabia to Central Asia: A Strategic Shift

Originally documented by ESET in May 2025 targeting an unnamed international organization in Saudi Arabia, UnsolicitedBooker has maintained activity since at least March 2023, focusing on organizations across Asia, Africa, and the Middle East.

The latest wave of attacks, detailed by Russian cybersecurity firm Positive Technologies, demonstrates the group’s adaptability and regional expansion. Between late September and November 2025, attackers targeted Kyrgyz telecom companies with phishing emails containing malicious Microsoft Office documents. These documents displayed legitimate telecom tariff information while silently executing malicious macros.

The attack chain revealed a sophisticated multi-stage deployment: victims who enabled macros triggered the execution of LuciLoad, a C++ malware loader that subsequently deployed LuciDoor. A parallel attack in November employed MarsSnakeLoader to deliver MarsSnake, indicating the group maintains multiple malware families for operational flexibility.

Technical Deep Dive: LuciDoor’s Advanced Capabilities

Written in C++, LuciDoor establishes encrypted communication channels with command-and-control servers, exfiltrating system metadata including hardware configurations, installed software, and network information. The backdoor parses server responses to execute arbitrary commands via cmd.exe, write files to compromised systems, and upload sensitive data.

What makes LuciDoor particularly concerning is its use of Chinese-origin tools—rare instruments that suggest sophisticated supply chains and technical expertise. The malware’s modular architecture allows attackers to adapt its functionality based on operational requirements, from passive reconnaissance to active data theft.

MarsSnake: The Versatile Alternative

MarsSnake mirrors LuciDoor’s core functionality while offering additional flexibility. The backdoor enables comprehensive system compromise, allowing attackers to harvest metadata, execute arbitrary commands, and manipulate any file on disk. Its deployment through both macro-enabled documents and Windows shortcut files (*.doc.lnk) demonstrates the group’s multi-vector approach.

Researchers discovered evidence of MarsSnake deployment in attacks targeting China, where the malware chain begins with a Windows shortcut masquerading as a Microsoft Word document. This LNK file triggers a batch script that launches a Visual Basic Script, ultimately executing MarsSnake without the loader component.

The decoy LNK file’s creation time and Machine ID indicators match those of FTPlnk_phishing, a publicly available pentesting tool, suggesting the group leverages existing offensive security frameworks while maintaining operational security through minor modifications.

Infrastructure and Operational Security

Positive Technologies uncovered particularly concerning operational details: in at least one case, attackers compromised a router to serve as a command-and-control server, demonstrating their ability to exploit network infrastructure. Additionally, the group’s infrastructure occasionally mimicked Russian characteristics, potentially to deflect attribution or complicate defensive measures.

The group’s malware evolution reveals strategic decision-making. After initially deploying LuciDoor, UnsolicitedBooker switched to MarsSnake but made a “U-turn” in 2026, resuming LuciDoor usage. This suggests either operational testing of different tools or adaptation based on defensive responses.

Parallel Threats: PseudoSticky and Cloud Atlas Target Russia

The disclosure coincides with revelations about PseudoSticky, a threat actor deliberately mimicking the pro-Ukrainian Sticky Werewolf group (also known as Angry Likho, MimiStick, and PhaseShifters) to attack Russian organizations in retail, construction, and research sectors.

Active since November 2025, PseudoSticky employs phishing emails with malicious attachments to deploy RemcosRAT and DarkTrack RAT, enabling comprehensive data theft and remote control. Russian security vendor F6 identified significant infrastructure and implementation differences suggesting deliberate mimicry rather than direct connection to Sticky Werewolf.

Adding another layer of complexity, Cloud Atlas—a separate Russian-targeting group—uses phishing emails with malicious Word documents to distribute custom malware VBShower and VBCloud. These attacks exploit the CVE-2018-0802 vulnerability through remote template loading, followed by downloading malicious files with alternate data streams.

Attribution and Implications

The consistent use of Chinese-origin tools, combined with operational patterns and infrastructure choices, reinforces attribution to Chinese state-sponsored actors. However, the group’s ability to pivot between targets, maintain multiple malware families, and adapt infrastructure suggests sophisticated planning and resource allocation.

For telecommunications providers in Central Asia, these attacks represent a significant escalation in cyber espionage targeting critical infrastructure. The combination of social engineering, weaponized documents, and advanced backdoors creates a threat landscape requiring comprehensive defensive measures including enhanced email security, macro controls, and network monitoring for C2 communications.

The broader pattern of sophisticated, state-sponsored cyber operations targeting telecommunications infrastructure across multiple regions underscores the ongoing strategic importance of telecom data for intelligence gathering and geopolitical influence operations.

Tags: #Cybersecurity #APT #UnsolicitedBooker #LuciDoor #MarsSnake #CyberEspionage #TelecomSecurity #CentralAsia #ChinaAPT #Phishing #Malware #CyberAttack #InformationWarfare #StateSponsoredHacking #CriticalInfrastructure

Viral Sentences:

• “China-linked hackers shift from Saudi Arabia to Central Asia, targeting telecom giants with never-before-seen backdoors”
• “LuciDoor and MarsSnake: The sophisticated malware duo taking down Kyrgyzstan and Tajikistan’s telecom networks”
• “APT groups evolve: From Saudi Arabia to Central Asia, cyber espionage gets a new battleground”
• “When phishing meets state-sponsored hacking: How UnsolicitedBooker is rewriting the rules of cyber warfare”
• “The great telecom hack: Chinese hackers deploy rare tools in unprecedented Central Asian cyber campaign”
• “From LuciDoor to MarsSnake and back again: The malware evolution that’s keeping cybersecurity experts awake at night”
• “Router-turned-C2-server: The shocking infrastructure tactics of modern cyber espionage groups”
• “Central Asia becomes the new frontline in the global cyber cold war”
• “Why telecom companies are the new crown jewels in state-sponsored cyber operations”
• “The art of deception: How PseudoSticky mimics pro-Ukrainian groups to attack Russian targets”

,