Full Report
Threat hunters have exposed the tactics of a China-aligned threat actor called UnsolicitedBooker that targeted an unnamed international organization in Saudi Arabia with a previously undocumented backdoor dubbed MarsSnake. ESET, which first discovered the hacking group's intrusions targeting the entity in March 2023 and again a year later, said the activity leverages spear-phishing emails using
Analysis Summary
# Threat Actor: UnsolicitedBooker
## Attribution & Identity
* **Identification:** China-aligned threat actor.
* **Aliases and Associations:** Assessed to share overlaps with the threat cluster tracked as **Space Pirates** and an unattributed cluster deploying the **Zardoor** backdoor.
## Activity Summary
* **Historical Activities:** Intrusions targeting an unnamed international organization in Saudi Arabia were first discovered in March 2023, with subsequent activity noted in 2024 and early 2025. This sustained targeting indicates a strong interest in this specific victim.
* **Recent Campaigns:** In January 2025, the actor deployed the novel **MarsSnake** backdoor against the Saudi Arabian organization using spear-phishing emails disguised as flight bookings from Saudia Airlines.
## Tactics, Techniques & Procedures
* Spear-phishing using flight ticket lures (e.g., exploiting a Microsoft Word document based on an online PDF template).
* Execution of VBA macros within weaponized documents.
* Decoding and writing an executable file (`smssdrvhost.exe`) to the file system.
* Deployment of various backdoors commonly used by Chinese hacking groups.
* Establishing command and control communications.
* *MITRE ATT&CK IDs are not explicitly mentioned in the text.*
## Targeting
* **Sectors:** Governmental organizations (implied through targeting Saudi Arabian organization).
* **Geography:** Asia, Africa, and the Middle East.
* **Victims:** An unnamed international organization in Saudi Arabia (repeatedly targeted across 2023, 2024, and 2025), and an Islamic non-profit organization in Saudi Arabia (by an overlapping cluster).
## Tools & Infrastructure
* **Malware families used:**
* **MarsSnake** (Newly documented backdoor)
* **Chinoxy**
* **DeedRAT**
* **Poison Ivy**
* **BeRAT**
* **Infrastructure (C2):**
* `contact.decenttoy[.]top`
## Implications
UnsolicitedBooker demonstrates long-term, persistent interest in specific high-value targets within the Middle East, employing common Chinese state-sponsored tradecraft (spear-phishing, known backdoors) while also introducing novel malware (MarsSnake). The multi-year overlap between campaigns suggests patient espionage or high-value intelligence gathering objectives against the primary victim.
## Mitigations
* Implement robust security measures against spear-phishing, specifically scrutinizing attachments (Microsoft Word documents) originating from external sources, especially those leveraging flight ticket lures.
* Ensure VBA macros are disabled by default or handled with extreme scrutiny.
* Monitor network traffic for command-and-control communications associated with the C2 infrastructure mentioned, such as `contact.decenttoy[.]top`.
* Maintain vigilance for known Chinese state-sponsored malware families like Chinoxy, DeedRAT, Poison Ivy, and BeRAT.