Ethical Hacking News
A new backdoor called MarsSnake has been discovered being used by China-linked APT group UnsolicitedBooker in recent attacks targeting government organizations in Asia, Africa, and the Middle East. The group is known for its use of spear-phishing emails with fake flight ticket lures to breach systems. Researchers have uncovered evidence of a new backdoor called MarsSnake being used by UnsolicitedBooker in their attacks.
UnsolicitedBooker, a Chinese cyber espionage group, has been targeting government organizations in Asia, Africa, and the Middle East with spear-phishing emails.The group uses fake flight ticket lures to breach systems and has reused the same ticket decoy from earlier attacks.A new backdoor called MarsSnake was discovered being used by UnsolicitedBooker in their attacks.The threat actors are believed to be motivated by espionage and data theft.UnsolicitedBooker overlaps with other Chinese APT groups, suggesting a larger network of collaborative threat actors.The group has launched multiple spear-phishing attacks against the same target, indicating a strong interest in compromising that organization.
China has been making headlines recently for its involvement in a sophisticated cyber espionage campaign targeting government organizations in Asia, Africa, and the Middle East. Dubbed UnsolicitedBooker, this group of hackers has been using spear-phishing emails with fake flight ticket lures to breach systems. In a recent development, researchers have uncovered evidence of a new backdoor called MarsSnake being used by UnsolicitedBooker in their attacks.
The research was conducted by ESET, which tracked the activity of UnsolicitedBooker back in 2023 and again in 2024. According to the report, the group targeted an international organization in Saudi Arabia using spear-phishing emails with fake flight ticket lures to breach systems. The attack was part of a larger campaign that saw UnsolicitedBooker reuse the same ticket decoy from earlier attacks, embedding a VBA macro that drops a MarsSnake backdoor loader.
The payload is saved as smssdrvhost.exe, and PDB paths confirm the MarsSnake name. The threat actors used the C&C server contact.decenttoy.top. Two more phishing attempts were also detected at the same target. This suggests that UnsolicitedBooker was using a new backdoor to maintain persistence on the compromised systems.
UnsolicitedBooker has repeatedly targeted government organizations in Asia, Africa, and the Middle East, using spear-phishing emails to deliver malware. Their toolkit includes backdoors such as Chinoxy, DeedRAT, Poison Ivy, and BeRAT, commonly associated with Chinese APT groups. The group also deployed custom file stealers; therefore, we believe that the motivation of this threat actor is espionage and data theft.
The report notes that UnsolicitedBooker overlaps with both Space Pirates and an unnamed threat actor that uses the Zardoor backdoor. This suggests that UnsolicitedBooker may be part of a larger network of Chinese APT groups working together to achieve their objectives.
In January 2025, UnsolicitedBooker launched another spearphishing attack against the same Saudi organization previously targeted. The phishing email, impersonating Saudia airline, came from saudia.etickets@outlook[.]com and included a fake flight ticket in a Word document, based on a PDF from Academia.edu.
The researchers observed that in 2024, UnsolicitedBooker reused the same ticket decoy from earlier attacks, embedding a VBA macro that drops a MarsSnake backdoor loader. The payload is saved as smssdrvhost.exe, and PDB paths confirm the MarsSnake name. This suggests that UnsolicitedBooker was using a new backdoor to maintain persistence on the compromised systems.
The threat actors used the C&C server contact.decenttoy.top. Two more phishing attempts were also detected at the same target. This suggests that UnsolicitedBooker was using a new backdoor to maintain persistence on the compromised systems.
The multiple attempts at compromising this organization in 2023, 2024, and 2025 indicate a strong interest by UnsolicitedBooker in this specific target. The report concludes that UnsolicitedBooker is a sophisticated group of hackers who are determined to compromise high-profile targets using spear-phishing campaigns.
Related Information:
https://www.ethicalhackingnews.com/articles/The-UnsolicitedBooker-APT-Unraveling-the-Mystery-of-Chinas-Spear-Phishing-Campaigns-ehn.shtml
https://securityaffairs.com/178105/malware/china-linked-unsolicitedbooker-used-new-backdoor-marssnake.html
https://thehackernews.com/2025/05/chinese-hackers-deploy-marssnake.html
Published: Tue May 20 08:37:21 2025 by llama3.2 3B Q4_K_M
