The China-aligned threat actor UnsolicitedBooker has shifted to targeting telecommunications companies in Kyrgyzstan and Tajikistan using phishing emails that deploy the LuciDoor and MarsSnake backdoors. The group, active since at least 2023, uses rare tools of Chinese origin and has shown tactical overlaps with other clusters. Researchers note the group has alternated between using the LuciDoor and MarsSnake backdoors and has employed hacked routers as command-and-control servers.
The threat activity cluster known as UnsolicitedBooker has been observed targeting telecommunications companies in Kyrgyzstan and Tajikistan, marking a shift from prior attacks aimed at Saudi Arabian entities.
The attacks involve the deployment of two distinct backdoors codenamed LuciDoor and MarsSnake, according to a report published by Positive Technologies last week.
"The group used several unique and rare instruments of Chinese origin," researchers Alexander Badaev and Maxim Shamanov said.
UnsolicitedBooker was first documented by ESET in May 2025, attributing the China-aligned threat actor to a cyber attack targeting an unnamed international organization in Saudi Arabia with a backdoor dubbed MarsSnake. The group is assessed to be active since at least March 2023 and has a history of targeting organizations in Asia, Africa, and the Middle East.
Further analysis of the threat actor has uncovered tactical overlaps with two other clusters, including Space Pirates and an as-yet-unattributed campaign targeting Saudi Arabia with another backdoor referred to as Zardoor.
The latest set of attacks documented by the Russian cybersecurity vendor was found to target Kyrgyz organizations in late September 2025 with phishing emails containing a Microsoft Office document, which, when opened, instructs recipients to "Enable Content" so as to run a malicious macro.
While the document displays a telecom provider's tariff plan to the victim, the macro stealthily drops a C++ malware loader called LuciLoad that, in turn, delivers LuciDoor. Another attack observed in late November 2025 adopted the same modus operandi, only this time it used a different loader codenamed MarsSnakeLoader to deploy MarsSnake.
As recently as January 2026, UnsolicitedBooker is said to have leveraged phishing emails as a vector to target companies in Tajikistan. While the overall attack chain remains the same, the messages embedded links to the decoy documents as opposed to directly attaching them.
Written in C++, LuciDoor establishes communication with a command-and-control (C2) server, collects basic system information, and exfiltrates the data to the server in encrypted format. It then parses the responses sent by the server to run commands using cmd.exe, write files to the system, and upload files.
MarsSnake, similarly, allows attackers to harvest system metadata, execute arbitrary commands, and read or write any file on disk.
Positive Technologies said it also found signs that MarsSnake was put to use in attacks targeting China. The starting point is a Windows shortcut that masquerades as a Microsoft Word document (*.doc.lnk) that triggers the execution of a batch script to launch a Visual Basic Script, which then launches MarsSnake without the loader component.
The decoy file is believed to be based on an LNK file associated with a publicly available pentesting tool called FTPlnk_phishing, owing to the identical LNK file creation time and Machine ID indicators. It's worth noting that a similar LNK file was put to use by the Mustang Panda group in attacks targeting Thailand in 2022.
"In their attacks, the group used rare tools of Chinese origin," Positive Technologies said. "Interestingly, at the very beginning, the group used a backdoor we dubbed LuciDoor, but later switched to the MarsSnake backdoor. However, in 2026, the group made a U-turn and resumed using LuciDoor."
"Furthermore, in at least one case, we observed the attackers using a hacked router as a C2 server, and their infrastructure mimicked that of Russia in some attacks."
When reached for comment, ESET told The Hacker News that it has not observed any new campaigns conducted by the threat actor since May 2025. But the Slovakian security company assessed with high confidence that UnsolicitedBooker is a China‑aligned cyber espionage group based on the tactics used, victimology patterns, and relevant non‑public data.
One such indicator is the use of known backdoors like Chinoxy, Deed RAT (a successor to ShadowPad, which itself is an evolution of PlugX), Poison Ivy, and BeRAT, all of which are shared among multiple China-aligned groups.
"Over the past several years, we have observed the group targeting entities in multiple countries, including Algeria, Belgium, Egypt, India, Mongolia, Saudi Arabia, and Taiwan." Matthieu Faou, senior malware researcher at ESET, said. "Their typical victims include government ministries, telecommunications providers, and legal professionals."
PseudoSticky and Cloud Atlas Target Russia
The disclosure comes as a previously unknown threat actor is deliberately mimicking the tactics of a pro-Ukrainian hacking group called Sticky Werewolf (aka Angry Likho, MimiStick, and PhaseShifters) to attack Russian organizations in the retail, construction, and research sectors with malware like RemcosRAT and DarkTrack RAT for comprehensive data theft and remote control.
The new group, referred to as PseudoSticky, has been active since November 2025. Victims are typically infected by phishing emails containing malicious attachments that lead to the deployment of the trojans. There are indications that the threat actor has relied on large language models (LLMs) to develop attack chains that drop DarkTrack RAT via PureCrypter.
"A closer analysis reveals differences in the infrastructure, malware implementation, and individual tactical elements, leading us to suspect that there is likely no direct connection between the groups, but rather deliberate mimicry," Russian security vendor F6 said.
Russian entities have also been targeted by another hacking group called Cloud Atlas, using phishing emails bearing malicious Word documents to distribute custom malware known as VBShower and VBCloud.
"When opened, the malicious document loads a remote template from C2 specified in one of the document's streams," cybersecurity company Solar said. "This template exploits the CVE-2018-0802 vulnerability. This is followed by downloading a malicious file with alternate streams, i.e., VBShower."
Meridiano
