In a series of sophisticated cyber espionage operations, the China-aligned threat actor known as UnsolicitedBooker has been implicated in targeting an undisclosed international organization based in Saudi Arabia. The group’s activities, spanning from March 2023 through January 2025, have involved the deployment of a previously undocumented backdoor malware named MarsSnake.
Initial Discovery and Attack Vector
ESET, a leading cybersecurity firm, first identified UnsolicitedBooker’s intrusion attempts in March 2023. The attackers employed spear-phishing emails, a common tactic in cyber espionage, to infiltrate their target. These emails were meticulously crafted, often masquerading as communications from reputable airlines, complete with flight ticket attachments. The decoy content was typically a modified flight ticket, based on publicly available PDFs from academic platforms.
Upon opening the attached Microsoft Word document, embedded VBA macros were executed. These macros decoded and wrote an executable file named smssdrvhost.exe to the system. This file acted as a loader for the MarsSnake backdoor, establishing a covert communication channel with a remote command-and-control server at contact.decenttoy[.]top.
Persistent Targeting and Malware Deployment
The persistence of UnsolicitedBooker’s efforts is notable. After the initial detection in March 2023, the group launched subsequent attacks in 2024 and again in January 2025, indicating a sustained interest in the Saudi organization. The repeated attempts suggest a strategic objective to infiltrate and maintain access to the target’s systems over an extended period.
The MarsSnake backdoor is a significant addition to UnsolicitedBooker’s arsenal, which includes other malware such as Chinoxy, DeedRAT, Poison Ivy, and BeRAT. These tools are commonly associated with Chinese cyber espionage groups, underscoring the sophisticated capabilities of the threat actor.
Connections to Other Threat Actors
UnsolicitedBooker’s activities exhibit overlaps with other known threat clusters. Notably, there are similarities with the group tracked as Space Pirates and an unattributed cluster that deployed the Zardoor backdoor against an Islamic non-profit organization in Saudi Arabia. These connections suggest a possible sharing of tools, tactics, or even personnel among these groups, reflecting the complex and interconnected nature of state-sponsored cyber operations.
Broader Context of Chinese Cyber Espionage
The operations of UnsolicitedBooker are part of a broader pattern of Chinese cyber espionage activities targeting governmental and non-governmental organizations across Asia, Africa, and the Middle East. For instance, another Chinese threat actor, PerplexedGoblin (also known as APT31), targeted a Central European government entity in December 2024, deploying an espionage backdoor referred to as NanoSlate.
Additionally, the group known as DigitalRecyclers has been conducting attacks on European Union governmental entities. This group utilizes the KMA VPN operational relay box (ORB) network to conceal its network traffic and deploys backdoors such as RClient, HydroRShell, and GiftBox. DigitalRecyclers, active since at least 2018, is believed to be linked to other Chinese cyber espionage groups like Ke3chang and BackdoorDiplomacy.
Implications and Recommendations
The persistent and evolving nature of these cyber threats underscores the need for organizations, especially those in critical sectors, to enhance their cybersecurity measures. Implementing robust email filtering systems, conducting regular security awareness training for employees, and maintaining up-to-date security patches are essential steps in mitigating the risk of such sophisticated attacks.
Furthermore, organizations should adopt a proactive approach to threat detection, utilizing advanced threat intelligence and monitoring tools to identify and respond to potential intrusions promptly. Collaboration with cybersecurity firms and sharing information about threat actors can also aid in developing effective defense strategies against state-sponsored cyber espionage activities.
Conclusion
The activities of UnsolicitedBooker and similar threat actors highlight the ongoing and complex challenges posed by state-sponsored cyber espionage. The deployment of sophisticated malware like MarsSnake, coupled with persistent targeting strategies, reflects a high level of coordination and intent. As cyber threats continue to evolve, it is imperative for organizations to remain vigilant and adopt comprehensive cybersecurity practices to safeguard their sensitive information and maintain operational integrity.
