Ethical Hacking News
A mysterious threat actor known as UnsolicitedBooker has been observed targeting telecommunications companies in Kyrgyzstan and Tajikistan with LuciDoor and MarsSnake backdoors. The group's use of Chinese origin tools and tactics suggests a possible connection to previously attributed threat actors, while their deployment of two distinct backdoors raises concerns among cybersecurity experts.
The UnsolicitedBooker group has been deploying malicious backdoors in various regions, including Kyrgyzstan and Tajikistan. The group uses two distinct backdoors codenamed LuciDoor and MarsSnake, with the latter being a more recent addition to their arsenal. UnsolicitedBooker's tactics, techniques, and procedures (TTPs) show similarities with other threat actors like Space Pirates, but also have distinct differences. The group uses phishing emails and rare Chinese origin tools in their attacks. The attacks are believed to have originated from a Windows shortcut masquerading as a Microsoft Word document. UnsolicitedBooker's group has made a U-turn and resumed using LuciDoor after initially switching to MarsSnake backdoor. The group's infrastructure mimics that of Russia, suggesting an attempt to create a sense of legitimacy or plausible deniability. R Researchers warn that UnsolicitedBooker's group may be planning to launch more sophisticated attacks in the future.
The cybersecurity landscape has been abuzz with recent reports of an unknown threat actor, dubbed UnsolicitedBooker, which has been observed deploying malicious backdoors in various regions. According to a report by Positive Technologies, the group has been targeting telecommunications companies in Kyrgyzstan and Tajikistan, marking a significant shift from prior attacks aimed at Saudi Arabian entities.
The attacks involve the deployment of two distinct backdoors codenamed LuciDoor and MarsSnake. While the LuciDoor backdoor is not new, having been first documented by ESET in May 2025, its recent resurgence has caught the attention of researchers. The group's use of Chinese origin tools and tactics suggests a possible connection to previously attributed threat actors.
The MarsSnake backdoor, on the other hand, appears to be a more recent addition to UnsolicitedBooker's arsenal. According to Positive Technologies, the group used rare tools of Chinese origin in their attacks, including a Visual Basic Script that launches the MarsSnake backdoor without the loader component.
Researchers have observed similarities between the tactics, techniques, and procedures (TTPs) employed by UnsolicitedBooker and those of other threat actors, such as Space Pirates. However, further analysis has revealed distinct differences in the infrastructure, malware implementation, and individual tactical elements used by the group.
UnsolicitedBooker's use of phishing emails containing malicious attachments is a common tactic among threat actors. The group's approach to infecting victims' systems with malware appears to be similar to that of other China-aligned threat actors, who have been observed targeting organizations in Asia, Africa, and the Middle East.
The attacks are believed to have originated from a Windows shortcut masquerading as a Microsoft Word document, which triggers the execution of a batch script to launch the Visual Basic Script. This script then launches the MarsSnake backdoor without the loader component.
Interestingly, Positive Technologies has noted that UnsolicitedBooker's group has made a U-turn and resumed using LuciDoor in 2026, after initially switching to the MarsSnake backdoor. The researchers speculate that this may be due to the group's desire to evade detection or exploit vulnerabilities in their chosen tools.
Furthermore, the attacks have been observed using hacked routers as command-and-control (C2) servers, and their infrastructure has been found to mimic that of Russia in some cases. This suggests that UnsolicitedBooker's group may be attempting to create a sense of legitimacy or plausible deniability by masquerading as a pro-Russian hacking group.
The use of rare tools of Chinese origin and the deployment of two distinct backdoors codenamed LuciDoor and MarsSnake have raised concerns among cybersecurity experts. Researchers warn that UnsolicitedBooker's group may be planning to launch more sophisticated attacks, potentially leveraging their advanced knowledge of malware implementation and command-and-control systems.
As the threat landscape continues to evolve, it is essential for organizations to remain vigilant and take proactive measures to protect themselves against emerging threats like UnsolicitedBooker. By staying informed about the latest developments and adopting a layered security approach, businesses can reduce their risk of falling victim to these sophisticated attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/UnsolicitedBooker-The-Mysterious-Threat-Actor-Behind-LuciDoor-and-MarsSnake-Backdoors-ehn.shtml
Published: Tue Feb 24 09:38:44 2026 by llama3.2 3B Q4_K_M
