Threat hunters have exposed the tactics of a China-aligned threat actor called UnsolicitedBooker that targeted an unnamed international organization in Saudi Arabia with a previously undocumented backdoor dubbed MarsSnake.
ESET, which first discovered the hacking group’s intrusions targeting the entity in March 2023 and again a year later, said the activity leverages spear-phishing emails using flight tickets as lures to infiltrate targets of interest.
“UnsolicitedBooker sends spear-phishing emails, generally with a flight ticket as the decoy, and its targets include governmental organizations in Asia, Africa, and the Middle East,” the company said in its latest APT Activity Report for the period ranging from October 2024 to March 2025.
Attacks mounted by the threat actor are characterized by the use of backdoors like Chinoxy, DeedRAT, Poison Ivy, and BeRAT, which are widely used by Chinese hacking crews.
UnsolicitedBooker is assessed to share overlaps with a cluster tracked as Space Pirates and an unattributed threat activity cluster that was found deploying a backdoor codenamed Zardoor against an Islamic non-profit organization in Saudi Arabia.
The latest campaign, spotted by the Slovak cybersecurity company in January 2025, involved sending a phishing email claiming to be from Saudia Airlines to the same Saudi Arabian organization about a flight booking.
“A Microsoft Word document is attached to the email, and the decoy content […] is a flight ticket that was modified but is based on a PDF that was available online on the Academia website, a platform for sharing academic research that allows uploading PDF files,” ESET said.
The Word document, once launched, triggers the execution of a VBA macro that decodes and writes to the file system an executable (“smssdrvhost.exe”) that, in turn, acts as a loader for MarsSnake, a backdoor that establishes communications with a remote server (“contact.decenttoy[.]top”).
“The multiple attempts at compromising this organization in 2023, 2024, and 2025 indicate a strong interest by UnsolicitedBooker in this specific target,” ESET said.
The disclosure comes as another Chinese threat actor tracked as PerplexedGoblin (aka APT31) targeted a Central European government entity in December 2024 to deploy an espionage backdoor referred to as NanoSlate.
ESET said it also identified DigitalRecyclers continued attacks on European Union governmental entities, making use of the KMA VPN operational relay box (ORB) network to conceal its network traffic and deploying the RClient, HydroRShell, and GiftBox backdoors.
DigitalRecyclers was first detected by the company in 2021, although it’s believed to be active since at least 2018.
“Likely linked to Ke3chang and BackdoorDiplomacy, DigitalRecyclers operates within the APT15 galaxy,” ESET said. “They deploy the RClient implant, a variant of the Project KMA stealer. In September 2023, the group introduced a new backdoor, HydroRShell, which uses Google’s Protobuf and Mbed TLS for C&C communications.”
