Ethical Hacking News
Chinese Hackers Deploy MarsSnake Backdoor in Multi-Year Attack on Saudi Organization
A Chinese threat actor known as UnsolicitedBooker has been linked to a multi-year attack on an unnamed international organization in Saudi Arabia. The attack involved spear-phishing emails, which were laced with a flight ticket as a decoy, and the use of backdoors such as Chinoxy, DeedRAT, Poison Ivy, and BeRAT. The threat actor also has connections to other Chinese hacking crews, including Space Pirates and DigitalRecyclers. This article provides an in-depth look at the tactics used by UnsolicitedBooker and its connections to other Chinese hacking crews.
UnsolicitedBooker is a China-aligned threat actor linked to several high-profile attacks in recent months. The group uses spear-phishing emails and backdoors, including Chinoxy, DeedRAT, Poison Ivy, and BeRAT, commonly used by Chinese hacking crews. UnsolicitedBooker was first discovered in March 2023 targeting an international organization in Saudi Arabia. The group has been linked to other Chinese hacking crews, including Space Pirates and DigitalRecyclers. DigitalRecyclers is believed to be active since at least 2018 and uses various tools such as RClient implant and GiftBox backdoors. Organizations must remain vigilant and take steps to protect themselves against cyber attacks, including implementing robust security measures and regular training for employees.
The cybersecurity landscape is constantly evolving, with new threats emerging every day. One such threat actor that has caught the attention of security experts is UnsolicitedBooker, a China-aligned threat actor that has been linked to several high-profile attacks in recent months. In this article, we will delve into the world of UnsolicitedBooker and explore the tactics used by this threat actor, as well as its connections to other Chinese hacking crews.
According to ESET, a Slovak cybersecurity company, UnsolicitedBooker was first discovered in March 2023, when it targeted an unnamed international organization in Saudi Arabia. The attack involved spear-phishing emails, which were laced with a flight ticket as a decoy, and the use of backdoors such as Chinoxy, DeedRAT, Poison Ivy, and BeRAT, which are commonly used by Chinese hacking crews.
The latest campaign, spotted by ESET in January 2025, involved sending a phishing email claiming to be from Saudia Airlines to the same Saudi Arabian organization about a flight booking. The email contained a Microsoft Word document that, when launched, triggered the execution of a VBA macro that decoded and wrote to the file system an executable ("smssdrvhost.exe") that acted as a loader for MarsSnake, a backdoor that established communications with a remote server ("contact.decenttoy[.]top").
The tactics used by UnsolicitedBooker are characterized by the use of spear-phishing emails, which are laced with decoy content such as flight tickets. The threat actor also uses backdoors to establish communications with a remote server, and has been linked to several other Chinese hacking crews, including Space Pirates and DigitalRecyclers.
DigitalRecyclers was first detected by ESET in 2021 and is believed to be active since at least 2018. The group operates within the APT15 galaxy and uses various tools such as the RClient implant, HydroRShell, and GiftBox backdoors. In September 2023, DigitalRecyclers introduced a new backdoor called HydroRShell, which uses Google's Protobuf and Mbed TLS for C&C communications.
The connections between UnsolicitedBooker and other Chinese hacking crews are not surprising, given the global nature of cyber attacks. The use of spear-phishing emails and backdoors is a common tactic used by these threat actors, and the fact that they have been linked to multiple high-profile attacks in recent months only serves to reinforce this connection.
In conclusion, UnsolicitedBooker is just one of many Chinese hacking crews that are active in the global cybersecurity landscape. While the tactics used by this threat actor may seem sophisticated at first glance, they are ultimately based on tried and tested methods that have been used for years. As such, it is essential for organizations to remain vigilant and take steps to protect themselves against these types of attacks.
The disclosure of UnsolicitedBooker's activities also serves as a reminder of the importance of cybersecurity awareness and education. The fact that the threat actor was able to successfully compromise an international organization in Saudi Arabia highlights the need for companies to implement robust security measures, including regular training for employees and the use of anti-malware software.
In addition, the connections between UnsolicitedBooker and other Chinese hacking crews highlight the global nature of cyber attacks. As such, it is essential for organizations to work together to share intelligence and best practices, in order to stay one step ahead of these threat actors.
Overall, the case of UnsolicitedBooker serves as a reminder that cybersecurity threats are constantly evolving, and that organizations must remain vigilant in order to protect themselves against these types of attacks. By staying informed about the latest threats and taking steps to protect themselves, organizations can reduce their risk of falling victim to cyber attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/The-UnsolicitedBooker-APT-Unraveling-the-Ties-Between-China-Linked-Threat-Actors-ehn.shtml
Published: Tue May 20 06:00:03 2025 by llama3.2 3B Q4_K_M
