UnsolicitedBooker Targets Central Asian Telecoms With LuciDoor and MarsSnake Backdoors
Source: The Hacker News
UnsolicitedBooker Activity in Central Asia
The threat‑activity cluster known as UnsolicitedBooker has been observed targeting telecommunications companies in Kyrgyzstan and Tajikistan, marking a shift from prior attacks aimed at Saudi Arabian entities.
The attacks involve the deployment of two distinct backdoors codenamed LuciDoor and MarsSnake, according to a report published by Positive Technologies last week.
“The group used several unique and rare instruments of Chinese origin,” researchers Alexander Badaev and Maxim Shamanov said.
— Positive Technologies report
UnsolicitedBooker was first documented by ESET in May 2025, attributing the China‑aligned threat actor to a cyber‑attack targeting an unnamed international organization in Saudi Arabia with a backdoor dubbed MarsSnake. The group is assessed to have been active since at least March 2023 and has a history of targeting organizations in Asia, Africa, and the Middle East.
Further analysis has uncovered tactical overlaps with two other clusters, including Space Pirates and an as‑yet‑unattributed campaign targeting Saudi Arabia with another backdoor referred to as Zardoor.
The latest set of attacks documented by the Russian cybersecurity vendor targeted Kyrgyz organizations in late September 2025 with phishing emails containing a Microsoft Office document. When opened, the document prompts the victim to Enable Content so that a malicious macro can run.
- While the document displays a telecom provider’s tariff plan, the macro stealthily drops a C++ malware loader called LuciLoad, which in turn delivers LuciDoor.
- A second attack observed in late November 2025 used the same delivery method but employed a different loader, MarsSnakeLoader, to deploy MarsSnake.
As recently as January 2026, UnsolicitedBooker leveraged phishing emails to target companies in Tajikistan. The overall attack chain remained the same, but the malicious links now point to decoy documents rather than attaching them directly.
Backdoor Malware
LuciDoor
- Language: C++
- Capabilities:
- Establishes communication with a command‑and‑control (C2) server.
- Collects basic system information and exfiltrates it in encrypted form.
- Parses server responses to execute commands via
cmd.exe, write files, and upload files.
Macros in the document
MarsSnake
- Capabilities:
- Harvests system metadata.
- Executes arbitrary commands.
- Reads or writes any file on disk.
Positive Technologies also found evidence that MarsSnake was used in attacks targeting China. The initial infection vector is a Windows shortcut masquerading as a Microsoft Word document (*.doc.lnk). The shortcut triggers a batch script that launches a Visual Basic Script, which in turn launches MarsSnake without a separate loader.
The decoy file appears to be based on an LNK file associated with the publicly available pentesting tool FTPlnk_phishing, as indicated by identical creation timestamps and Machine‑ID markers. A similar LNK file was employed by the Mustang Panda group in attacks against Thailand in 2022.
“In their attacks, the group used rare tools of Chinese origin,” Positive Technologies said.
“Interestingly, at the very beginning the group used a backdoor we dubbed LuciDoor, but later switched to MarsSnake. However, in 2026 the group made a U‑turn and resumed using LuciDoor.”
“Furthermore, in at least one case we observed the attackers using a hacked router as a C2 server, and their infrastructure mimicked that of Russia in some attacks.”
PseudoSticky and Cloud Atlas Target Russia
The disclosure comes as a previously unknown threat actor deliberately mimics the tactics of a pro‑Ukrainian hacking group called Sticky Werewolf (aka Angry Likho, MimiStick, and PhaseShifters) to attack Russian organizations.
Threat Landscape Update – Russian Targets
The new threat group, PseudoSticky, has been active since November 2025. Victims are typically infected via phishing emails that contain malicious attachments, which then deploy the trojans RemcosRAT and DarkTrack RAT for comprehensive data theft and remote control.
There are indications that the actors have leveraged large‑language models (LLMs) to develop attack chains that drop DarkTrack RAT through PureCrypter.
“A closer analysis reveals differences in the infrastructure, malware implementation, and individual tactical elements, leading us to suspect that there is likely no direct connection between the groups, but rather deliberate mimicry,”
— Russian security vendor F6
Related Activity: Cloud Atlas
Another hacking group, Cloud Atlas, has also targeted Russian entities. They use phishing emails with malicious Word documents to distribute custom malware known as VBShower and VBCloud.
“When opened, the malicious document loads a remote template from C2 specified in one of the document’s streams,”
— Cybersecurity company Solar
“This template exploits the CVE‑2018‑0802 vulnerability. This is followed by downloading a malicious file with alternate streams, i.e., VBShower.”
Source
Visual Reference
Stay Informed
Found this article interesting? Follow us for more exclusive content: