Listen to this Post
In today’s digital battleground, state-sponsored cyber espionage continues to escalate, with sophisticated threat actors relentlessly targeting governments and organizations worldwide. One such group, UnsolicitedBooker—a China-linked Advanced Persistent Threat (APT)—has recently caught the attention of cybersecurity experts due to its persistent attacks against an international organization based in Saudi Arabia. Using a new malware strain called MarsSnake and clever spear-phishing tactics disguised as flight ticket notifications, this group exemplifies the evolving cyber threat landscape. This article delves into the latest findings by ESET researchers, exploring UnsolicitedBooker’s methods, motives, and implications for global cybersecurity.
Overview of the UnsolicitedBooker Attacks
ESET researchers uncovered a series of cyberattacks orchestrated by UnsolicitedBooker, a China-linked APT group, targeting an international organization in Saudi Arabia. These attacks were observed in March 2023 and resurfaced in early 2024, highlighting the group’s persistence and focused interest in this particular entity. UnsolicitedBooker employs spear-phishing emails using fake flight ticket lures as bait, exploiting human trust and curiosity to deliver malicious payloads.
The malware toolkit of UnsolicitedBooker is notably diverse, including backdoors such as Chinoxy, DeedRAT, Poison Ivy, and BeRAT—tools commonly linked to Chinese state-sponsored groups. The shared usage of these backdoors across multiple threat actors suggests collaboration or code reuse within this cyber espionage ecosystem. Their attacks are not limited to Saudi Arabia; they have targeted government institutions across Asia, Africa, and the Middle East, signaling a broad strategic interest in these regions.
A defining characteristic of these campaigns is the use of custom file stealers, emphasizing espionage and data theft as the primary motivation behind the attacks. The spear-phishing emails often impersonate well-known airlines, like Saudia Airlines, and contain attachments such as Word documents embedded with malicious VBA macros. These macros drop the newly identified MarsSnake backdoor loader, which was saved under the filename “smssdrvhost.exe.” The attackers maintain contact with their Command and Control (C\&C) server, identified as contact.decenttoy[.]top, to manage their malware remotely.
The repetition of attack attempts from 2023 through 2025 against the same target underscores the high value this organization holds for UnsolicitedBooker. The reuse of phishing tactics, including the flight ticket lure and malicious macro payloads, also reveals the group’s operational patterns and resilience in adapting to defensive measures.
What Undercode Say: Analyzing UnsolicitedBooker’s Tactics and Threat Landscape
UnsolicitedBooker’s campaigns are a textbook example of targeted, persistent cyber espionage. Their approach combines social engineering with advanced malware deployment, reflecting a sophisticated understanding of both human psychology and technical exploitation.
The repeated use of spear-phishing emails with highly convincing lures such as flight tickets is particularly concerning. This tactic preys on busy professionals and government officials who may expect such notifications regularly, increasing the likelihood of a successful breach. The malicious attachments cleverly mimic legitimate documents, embedding VBA macros that often evade traditional antivirus detection by activating only when the user enables macros.
MarsSnake, the new backdoor identified by ESET, signifies an evolution in UnsolicitedBooker’s arsenal. Its stealthy loader and persistent nature allow attackers to maintain long-term access to compromised systems, facilitating data exfiltration and reconnaissance. The use of familiar malware frameworks like Chinoxy and Poison Ivy alongside MarsSnake suggests that UnsolicitedBooker leverages both tried-and-tested tools and cutting-edge innovations to stay ahead of defenders.
From an operational perspective, the choice of Saudi Arabia as a persistent target could be driven by geopolitical interests, especially considering the country’s strategic regional importance and growing role in international affairs. The overlap of UnsolicitedBooker with other threat actors such as Space Pirates and those using the Zardoor backdoor hints at a complex web of cyber espionage groups potentially sharing resources or overlapping targets.
For cybersecurity teams, this case highlights the critical need for robust email security, user awareness training, and advanced endpoint detection systems capable of identifying and mitigating VBA macro-based malware. Continuous monitoring of network traffic for communications with suspicious C\&C servers like contact.decenttoy[.]top is also essential.
In a broader sense, these attacks reaffirm that APT groups remain highly motivated and adaptive, leveraging a mix of social engineering and sophisticated malware to infiltrate high-value targets. Organizations must adopt multi-layered defense strategies and threat intelligence sharing to counteract these evolving threats effectively.
Fact Checker Results ✅🔍
UnsolicitedBooker’s spear-phishing campaigns have been independently verified by multiple cybersecurity firms.
The MarsSnake backdoor’s existence and file indicators have been confirmed through ESET’s technical analysis.
Repeated targeting of the Saudi Arabian organization demonstrates a sustained espionage interest rather than opportunistic attacks.
Prediction 🔮
Given the increasing sophistication and persistence of UnsolicitedBooker, it is highly likely that their campaigns will continue to evolve, incorporating even more advanced malware variants and social engineering tactics. Future attacks may target additional high-profile organizations in the Middle East and beyond, potentially leveraging emerging technologies such as AI-powered phishing and zero-day exploits to bypass traditional defenses. Proactive threat hunting and international cooperation will become critical to mitigate these escalating cyber espionage threats.
References:
Reported By: securityaffairs.com
Extra Source Hub:
https://www.pinterest.com
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
