A Martian Snake Boards the Saudi Airways

The Chinese-aligned threat group UnsolicitedBooker has resurfaced with a multi-year cyberespionage campaign targeting a Saudi-based international organization. The operation, detected by ESET, showcases persistent interest from this APT group across 2023, 2024, and 2025.

Sovereign prey

Their primary targets are governmental entities in Asia, Africa, and the Middle East, regions of geopolitical significance to China. Repeated intrusions into the same organization suggest a high-value intelligence objective and long-term strategic goals.

In this latest wave, UnsolicitedBooker impersonated Saudia Airlines, dispatching spear-phishing emails crafted around altered flight tickets. These lures are not random. They exploit organizational routines and employee trust in familiar brands, increasing the chances of engagement. The decoy documents are often based on real tickets found online, giving the operation a layer of authenticity that bypasses casual scrutiny.

Snakes on the plane

The spear-phishing emails contain a Microsoft Word document. Once opened, the file triggers a malicious VBA macro that decodes and writes an executable, smssdrvhost.exe, to the disk. This executable is not the payload but a loader that fetches and deploys MarsSnake—a previously undocumented backdoor.

MarsSnake connects to a command-and-control server located at contact.decenttoy[.]top. Once communication is established, attackers gain covert and persistent access to the victim’s systems. Though exact contents of the data exfiltrated remain unconfirmed, the malware likely enables the theft of confidential documents, sensitive communications, user credentials, inbox access, and continuous monitoring of activity across compromised systems. The fact that the macro was based on a publicly available PDF on an academic site like Academia adds to the sophistication of the social engineering.

Flight canceled

To effectively mitigate threats like MarsSnake:

• Never enable macros in Microsoft Office files received from unknown or untrusted senders. Malicious actors often rely on social engineering to convince users to enable macros, which then trigger the infection chain.

• Keep VBA macros disabled by default in the Office suite to reduce exposure to macro-based malware, particularly in environments where macros are rarely needed.

• Monitor Microsoft Word for anomalous behavior, such as spawning child processes like smssdrvhost.exe or other executables. These are clear indicators of malicious macro execution.

• Inspect network traffic for connections to unknown or suspicious domains, especially those not classified by threat intelligence feeds. C2 communications, like with contact.decenttoy[.]top, are often overlooked.

• Implement antivirus and endpoint detection and response (EDR) solutions that incorporate behavioral analysis. Focus on tools that detect script-based loaders, VBA macro execution, and other stealthy in-memory threats that bypass traditional signature-based defenses.

https://thehackernews.com/2025/05/chinese-hackers-deploy-marssnake.html?m=1