Full Report
The threat activity cluster known as UnsolicitedBooker has been observed targeting telecommunications companies in Kyrgyzstan and Tajikistan, marking a shift from prior attacks aimed at Saudi Arabian entities. The attacks involve the deployment of two distinct backdoors codenamed LuciDoor and MarsSnake, according to a report published by Positive Technologies last week. "The group used several
Analysis Summary
# Threat Actor: UnsolicitedBooker
## Attribution & Identity
- **Actor Identification:** UnsolicitedBooker is a China-aligned threat activity cluster.
- **Assessed Origins:** China (based on the use of rare, Chinese-origin tools and tactical overlaps).
- **Known Associations/Aliases:**
- Overlaps with the group **Space Pirates**.
- Overlaps with an unattributed campaign using the **Zardoor** backdoor.
- Linked to malicious LNK file creation methods previously used by **Mustang Panda** (TA416).
## Activity Summary
- **Current Campaigns (2025–2026):** Targeting telecommunications and other organizations in Kyrgyzstan and Tajikistan.
- **Historical Context:** First documented in May 2025 by ESET. Active since at least March 2023. Prior operations focused heavily on Saudi Arabian entities and an unnamed international organization.
## Tactics, Techniques & Procedures
- **Initial Access:** Phishing emails containing malicious Microsoft Office attachments or links to decoy documents.
- **Execution:**
- Malicious macros requiring the victim to "Enable Content."
- Use of Windows shortcut files (`.doc.lnk`) to trigger batch scripts and VBScripts (MITRE T1204.002, T1547.009).
- **Evasion & Delivery:**
- Use of custom loaders (LuciLoad and MarsSnakeLoader).
- Masquerading infrastructure to mimic Russian entities.
- Use of decoy documents (e.g., telecom tariff plans).
- **Persistence & Command:**
- C++ based backdoors for system metadata harvesting and command execution via `cmd.exe`.
- Leverages compromised legitimate infrastructure (hacked routers) for C2.
## Targeting
- **Sectors:** Telecommunications, International Organizations.
- **Geography:**
- Central Asia (Kyrgyzstan, Tajikistan)
- Middle East (Saudi Arabia)
- Others: Reported activity in Asia, Africa, and localized attacks within China.
- **Victims:** Unnamed telecommunications companies in Kyrgyzstan and Tajikistan; unnamed international organization in Saudi Arabia.
## Tools & Infrastructure
- **Malware Families:**
- **LuciDoor:** A C++ backdoor for data exfiltration and remote command execution.
- **MarsSnake:** A backdoor used for system metadata harvesting and file manipulation.
- **Loaders:** LuciLoad, MarsSnakeLoader.
- **Utilities:** FTPlnk_phishing (public pentesting tool used for LNK generation).
- **Infrastructure:**
- Compromised routers used as C2 nodes.
- Infrastructure designed to mimic Russian-based servers to mislead attribution.
## Implications
UnsolicitedBooker demonstrates a high degree of adaptability, shifting geographic focus from the Middle East to Central Asia while rotating between different malware toolsets (switching from LuciDoor to MarsSnake and back again). Their use of Chinese-origin tools and compromised infrastructure suggests a sophisticated actor capable of conducting long-term espionage against strategic infrastructure like telecommunications.
## Mitigations
- **Macro Security:** Disable Office macros by default and enforce signed macro policies across the enterprise.
- **Email Filtering:** Implement robust attachment scanning for `.lnk` files and documents containing obfuscated macros or external links.
- **Host-Based Defense:** Monitor for unusual child processes of Microsoft Word or Excel (e.g., `cmd.exe`, `powershell.exe`, or `cscript.exe`).
- **Network Monitoring:** Inspect traffic for unauthorized connections to known "hacked" router footprints or suspicious IPs mimicking Russian geographies.