A China-aligned threat actor known as UnsolicitedBooker has expanded its targeting to telecommunications companies in Kyrgyzstan and Tajikistan, deploying two sophisticated backdoors—LuciDoor and MarsSnake—in a series of espionage campaigns documented by Positive Technologies researchers.
Campaign Overview
UnsolicitedBooker, first documented by ESET in May 2025 after targeting Saudi Arabian organizations, has been active since at least March 2023. The group has a history of targeting organizations across Asia, Africa, and the Middle East, with researchers identifying tactical overlaps with other Chinese threat clusters including Space Pirates and the Zardoor campaign.
“The group used several unique and rare instruments of Chinese origin.” — Positive Technologies researchers Alexander Badaev and Maxim Shamanov
Attack Chain Details
The latest attacks targeting Central Asian telecom providers follow a consistent pattern:
- September 2025: Phishing emails containing Microsoft Office documents with malicious macros targeted Kyrgyz organizations
- November 2025: Same tactics using a different loader (MarsSnakeLoader) to deploy MarsSnake
- January 2026: Expanded operations against Tajikistan companies using embedded links instead of attachments
When victims enable macros in the decoy documents (which display telecom provider tariff plans), a C++ malware loader called LuciLoad or MarsSnakeLoader stealthily installs the respective backdoor.
Backdoor Capabilities
LuciDoor (C++)
- Establishes encrypted C2 communication
- Collects and exfiltrates system information
- Executes commands via cmd.exe
- Writes files to the compromised system
- Uploads files to C2 server
MarsSnake
- Harvests system metadata
- Executes arbitrary commands
- Reads and writes any file on disk
Infrastructure and Attribution
Positive Technologies noted several interesting operational security aspects:
- The group used hacked routers as C2 servers in at least one case
- Infrastructure was configured to mimic Russian infrastructure in some attacks
- MarsSnake was also deployed against targets within China, using Windows shortcut files based on the publicly available FTPlnk_phishing pentesting tool
- Similar LNK artifacts were previously associated with Mustang Panda attacks targeting Thailand in 2022
“Interestingly, at the very beginning, the group used a backdoor we dubbed LuciDoor, but later switched to the MarsSnake backdoor. However, in 2026, the group made a U-turn and resumed using LuciDoor.” — Positive Technologies
Why This Matters
Telecommunications providers are high-value targets for nation-state actors due to their access to sensitive communications data and critical infrastructure positioning. The targeting of Central Asian telecoms—particularly in Kyrgyzstan and Tajikistan—aligns with Chinese strategic interests in the region and the broader Belt and Road Initiative.
Recommendations
- Block macro execution from untrusted Office documents
- Monitor for suspicious C2 communications, especially to compromised network devices
- Hunt for indicators of LuciLoad, MarsSnakeLoader, LuciDoor, and MarsSnake backdoors
- Implement network segmentation to limit lateral movement
- Deploy endpoint detection and response (EDR) solutions with behavioral analysis capabilities
Source: The Hacker News / Positive Technologies
