top of page
Buscar

UnsolicitedBooker Expands to Central Asia: LuciDoor and MarsSnake in Telecom Espionage

  • Foto del escritor: Javier Conejo del Cerro
    Javier Conejo del Cerro
  • hace 8 horas
  • 3 Min. de lectura

The China-aligned threat cluster UnsolicitedBooker, active since at least March 2023, has shifted its operational focus toward telecommunications companies in Kyrgyzstan and Tajikistan after earlier campaigns targeting Saudi entities. Between September 2025 and January 2026, the group deployed two backdoors — LuciDoor and MarsSnake — leveraging phishing-based initial access, rare Chinese-origin tooling, and infrastructure that in some cases mimicked Russian assets, underscoring a persistent and adaptive espionage posture across Asia, Africa, and the Middle East.


Phase 1: Initial Access Through Telecom-Themed Phishing 


The campaign begins with spear-phishing emails targeting telecom organizations. In late September 2025, victims in Kyrgyzstan received Microsoft Office documents attached directly to emails. These documents displayed legitimate telecom tariff plans as decoys but required recipients to “Enable Content” in order to activate embedded malicious macros.

By January 2026, targeting extended to Tajikistan, with the attackers slightly modifying delivery tactics. Instead of attaching files, the emails contained links to externally hosted decoy documents. The social engineering remained consistent: convincing telecom employees to enable macros and trigger execution.

This macro-based entry point reflects tradecraft commonly seen in state-sponsored operations, where reliability and familiarity are prioritized over complexity.


Phase 2: Loader Deployment and Backdoor Installation 


Once macros were enabled, the infection chain unfolded in multiple variants:


Variant A: LuciDoor Chain


The malicious document dropped a C++ loader named LuciLoad, which then deployed the LuciDoor backdoor.


Variant B: MarsSnake Chain


A similar macro mechanism deployed MarsSnakeLoader, responsible for installing the MarsSnake backdoor.


Variant C: LNK Execution Path


In another observed scenario — including activity targeting China — attackers used a Windows shortcut file disguised as a Microsoft Word document (*.doc.lnk). This LNK triggered a batch script, which launched a Visual Basic Script (VBS) that executed MarsSnake directly, bypassing the loader stage.

The LNK decoy showed structural similarities to a publicly available pentesting tool known as FTPlnk_phishing, including matching file creation timestamps and Machine ID indicators. Similar LNK techniques were previously used by Mustang Panda in operations targeting Thailand.


Phase 3: Command-and-Control and Espionage Operations 


Once deployed, both LuciDoor and MarsSnake established encrypted communication with command-and-control (C2) servers.

Notable operational characteristics included:

  • Encrypted C2 traffic

  • Use of hacked routers as C2 infrastructure

  • Infrastructure elements that in some attacks mimicked Russian assets


LuciDoor Capabilities


  • Collect basic system information

  • Exfiltrate system data in encrypted format

  • Execute arbitrary commands via cmd.exe

  • Read, write, and upload files


MarsSnake Capabilities


  • Harvest system metadata

  • Execute arbitrary commands

  • Read and write any file on disk

Both implants provided full remote access, enabling long-term persistence and post-compromise maneuvering within telecom environments.


Phase 4: Tooling Evolution and Strategic Patterns 


UnsolicitedBooker initially relied heavily on LuciDoor, later shifted toward MarsSnake, and in 2026 returned to LuciDoor usage — indicating iterative experimentation and tool rotation.

Positive Technologies also identified tactical overlaps with:

  • Space Pirates

  • An unattributed campaign using the Zardoor backdoor

These overlaps suggest either shared development resources or coordinated ecosystem activity within China-aligned threat circles.

The group’s broader targeting history includes organizations across:

  • Asia

  • Africa

  • The Middle East

The pivot to Central Asian telecom operators signals continued focus on strategically valuable infrastructure.


Defensive Measures 


To mitigate similar campaigns, organizations should implement:

  • Disable Microsoft Office macros by default

  • Block LNK execution from email-delivered files

  • Monitor for C++ loader artifacts (LuciLoad, MarsSnakeLoader)

  • Detect suspicious LNK → batch → VBS execution chains

  • Inspect encrypted outbound C2 traffic anomalies

  • Monitor routers for compromise and C2 relay abuse

  • Patch public-facing services and infrastructure

  • Deploy behavioral EDR capable of detecting command execution via cmd.exe and file exfiltration patterns

  • Segment telecom infrastructure networks to reduce lateral movement risk


Operation targeting by UnsolicitedBooker demonstrates a consistent pattern: disciplined phishing tradecraft, controlled loader execution, encrypted C2, and adaptable infrastructure. The group does not rely on flashy zero-days or novel exploit chains. Instead, it prioritizes reliability, operational security, and steady refinement.


The return to LuciDoor in 2026 highlights an evolutionary rather than revolutionary approach to malware deployment. Combined with rare Chinese-origin tooling and infrastructure experimentation, this suggests a mature espionage ecosystem comfortable rotating assets while maintaining strategic continuity.


Telecommunications providers in emerging or geopolitically sensitive regions remain high-value intelligence targets. As this campaign illustrates, initial access may be simple — but the persistence and intelligence value derived from successful compromise can be long-term and strategically significant.



The Hacker News


 
 
 

Comentarios

bottom of page