China-aligned threat actor UnsolicitedBooker is targeting telecom companies in Kyrgyzstan and Tajikistan with LuciDoor and MarsSnake backdoors, shifting tactics and tools while mimicking Russian infrastructure.
The China-aligned threat actor known as UnsolicitedBooker has expanded its targeting to telecommunications providers in Kyrgyzstan and Tajikistan, deploying two sophisticated backdoors called LuciDoor and MarsSnake. This represents a strategic shift from the group's previous focus on Saudi Arabian targets, according to new research from Positive Technologies.
Alexander Badaev and Maxim Shamanov, security researchers at Positive Technologies, noted: "The group used several unique and rare instruments of Chinese origin." Their analysis reveals the actor's evolving tactics, including switching between backdoors and repurposing infrastructure to appear Russian-aligned. First documented by ESET in May 2025, UnsolicitedBooker has operated since at least March 2023, targeting organizations across Asia, Africa, and the Middle East.
Attack Methodology and Malware Evolution
The attacks begin with phishing emails containing malicious Microsoft Office documents. When victims enable content, macros execute malware loaders that deploy the final payloads:
- LuciDoor: Deployed via LuciLoad loader, this C++ backdoor collects system information, executes commands via cmd.exe, and exfiltrates data using encrypted communications with command-and-control servers
- MarsSnake: Distributed through MarsSnakeLoader or directly via malicious LNK files, it performs similar functions but with infrastructure mimicking patterns previously used by Mustang Panda
Positive Technologies observed the group alternating between these tools, using LuciDoor initially, switching to MarsSnake, then reverting to LuciDoor in 2026. The MarsSnake attacks employed Windows shortcut files (.lnk) disguised as Word documents, leveraging techniques similar to the FTPlnk_phishing pentesting tool.
Infrastructure Tactics and Regional Shift
The group demonstrated advanced operational security by:
- Using compromised routers as command-and-control servers
- Masking infrastructure to appear Russian-originated
- Shifting from direct email attachments to embedded document links
This infrastructure deception complicates attribution while the targeting shift toward Central Asian telecoms suggests strategic interest in regional communications infrastructure.
Practical Defense Recommendations
Telecommunications companies and high-risk organizations should implement these protective measures:
- Disable Office macros by default through Group Policy or endpoint security tools
- Implement LNK file restrictions using application control policies
- Monitor for suspicious network traffic to unexpected geographical locations
- Conduct phishing simulations focusing on document-enabled attacks
- Deploy behavioral detection for unusual child process spawning (e.g., cmd.exe from Office apps)
Security teams should prioritize detection of LuciDoor and MarsSnake loader patterns, which include specific registry key modifications and temporary file creation behaviors documented in Positive Technologies' full report. The group's infrastructure deception techniques underscore the importance of validating geographical attribution indicators through multiple sources.
Related Threat Activity
Russian organizations face parallel threats from:
- PseudoSticky: Mimicking pro-Ukrainian group Sticky Werewolf while deploying DarkTrack RAT
- Cloud Atlas: Exploiting CVE-2018-0802 vulnerability to deliver VBShower malware
These developments highlight the need for sector-specific defenses in telecommunications and critical infrastructure, where geopolitical targeting continues to evolve.
Comments
Please log in or register to join the discussion