ESET researchers revealed that a China-linked APT group known as UnsolicitedBooker targeted an international organization in Saudi Arabia using a new backdoor named
MarsSnake. The attacks were discovered in March 2023 and again in 2024. The group used spear-phishing emails disguised with fake flight ticket lures to infiltrate systems.
UnsolicitedBooker has consistently targeted government organizations across Asia, Africa, and the Middle East. They deliver malware through spear-phishing emails, employing a toolkit that includes backdoors such as Chinoxy, DeedRAT, Poison Ivy, and BeRAT, which are commonly linked to Chinese APT groups.
These backdoors are shared among several China-linked APT groups.
“The group also deployed custom file stealers, so we believe their motivation is espionage and data theft. UnsolicitedBooker sends spear-phishing emails, typically using flight tickets as decoys, targeting governmental organizations in Asia, Africa, and the Middle East,” states the report published by ESET. “Our investigation shows that UnsolicitedBooker overlaps with both Space Pirates and another unnamed threat actor using the Zardoor backdoor.”
In January 2025, UnsolicitedBooker launched another spear-phishing campaign against the same Saudi organization previously targeted. The phishing email, pretending to be from Saudia airline, came from saudia.etickets@outlook[.]com and contained a fake flight ticket in a Word document. This document was based on a PDF from Academia.edu. Researchers noted that in 2024, UnsolicitedBooker reused the same ticket decoy from earlier attacks. The document included a VBA macro that dropped a MarsSnake backdoor loader. The payload was saved as smssdrvhost.exe, with PDB paths confirming the MarsSnake name. The attackers communicated with their command and control server at contact.decenttoy[.]top. Two additional phishing attempts were detected targeting the same organization.
“The repeated attempts to compromise this organization in 2023, 2024, and 2025 highlight UnsolicitedBooker’s strong interest in this specific target,” the report concludes.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
