Executive Summary

The China-aligned advanced persistent threat (APT) group UnsolicitedBooker has recently intensified its cyber-espionage operations against telecommunications providers in Central Asia, specifically targeting organizations in Kyrgyzstan and Tajikistan. Leveraging highly tailored spear-phishing campaigns, the group deploys two rare and technically sophisticated backdoors, LuciDoor and MarsSnake, both written in C++. These campaigns demonstrate a significant evolution in both tradecraft and operational security, including the use of compromised routers for command-and-control (C2) infrastructure and the adoption of advanced payload delivery mechanisms such as malicious LNK files and obfuscated macro-laden Office documents. The observed tactics, techniques, and procedures (TTPs) indicate a high level of operational maturity and a clear focus on persistent access, data exfiltration, and lateral movement within targeted telecom environments. This report provides a comprehensive technical analysis of the malware, exploitation vectors, and recommended countermeasures to mitigate the risk posed by this campaign.

Threat Actor Profile

UnsolicitedBooker is a China-aligned APT group first observed in 2023, with a history of targeting telecommunications, government, and critical infrastructure sectors across Asia, the Middle East, and Africa. The group is characterized by its use of rare, custom-developed malware families and a strong emphasis on operational security, including infrastructure blending and the use of compromised third-party assets for C2. UnsolicitedBooker demonstrates tactical overlaps with other Chinese APTs such as Mustang Panda and Space Pirates, particularly in its use of LNK-based delivery and decoy document lures. The group’s campaigns are typically motivated by intelligence collection and strategic espionage, with a focus on sectors that provide access to sensitive communications and geopolitical data.

Technical Analysis of Malware/TTPs

The attack chain orchestrated by UnsolicitedBooker is multi-staged and leverages both social engineering and technical sophistication. Initial access is achieved through spear-phishing emails crafted to appear as legitimate telecom-related correspondence, often containing malicious Microsoft Office documents or links to such files. These documents are themed around telecom tariff plans and prompt recipients to enable macros, which, when executed, drop a C++-based loader such as LuciLoad or MarsSnakeLoader.

The loader then installs either the LuciDoor or MarsSnake backdoor. In alternative scenarios, the phishing emails deliver malicious Windows shortcut files with a .doc.lnk extension, masquerading as legitimate Word documents. These LNK files, sometimes generated using the public pentesting tool FTPlnk_phishing, initiate a chain of batch and VBScript execution that culminates in the deployment of the backdoor payload.

LuciDoor is a C++ backdoor that establishes encrypted C2 communications, collects and exfiltrates system information, executes arbitrary commands via cmd.exe, and facilitates file operations including reading, writing, and uploading data to the attacker-controlled infrastructure. While persistence mechanisms are not fully detailed in open sources, the malware’s modular design suggests the capability for long-term covert access.

MarsSnake is also a C++ backdoor with similar capabilities, including system metadata harvesting, arbitrary command execution, and unrestricted file system access. Notably, MarsSnake is delivered either via its dedicated loader or directly through the LNK/VBS chain, and its delivery TTPs closely mirror those previously attributed to Mustang Panda during campaigns in Southeast Asia.

The C2 infrastructure employed by UnsolicitedBooker is notable for its use of compromised routers, which serve as proxies to obfuscate the true location of the attackers and complicate attribution. Some C2 nodes are configured to mimic Russian IP space, further muddying attribution efforts and increasing the operational stealth of the campaign.

Exploitation in the Wild

The most recent wave of attacks attributed to UnsolicitedBooker was observed targeting telecom operators in Kyrgyzstan in September 2025 and Tajikistan in January 2026. Previous campaigns have targeted entities in Saudi Arabia and, according to some reports, organizations in China itself. The group’s exploitation methodology consistently involves spear-phishing with telecom-themed lures, the use of Office macros and LNK-based payloads, and the deployment of rare, custom-developed malware. The infrastructure blending and use of compromised routers for C2 have been confirmed in multiple incidents, underscoring the group’s commitment to operational security and persistence.

Victimology and Targeting

The primary victims of this campaign are telecommunications providers in Central Asia, specifically in Kyrgyzstan and Tajikistan. The targeting is highly selective, with phishing lures tailored to the operational context of the victim organizations, such as tariff plan documents and internal communications. While the current focus is on Central Asia, historical activity suggests that UnsolicitedBooker is capable of rapidly shifting its targeting to other regions and sectors, including government, defense, and critical infrastructure. The group’s interest in telecoms is likely driven by the strategic value of intercepting communications and accessing sensitive subscriber data.

Mitigation and Countermeasures

Organizations are strongly advised to implement a multi-layered defense strategy to mitigate the risk posed by UnsolicitedBooker and similar APT campaigns. Key recommendations include:

Ensure that email security gateways are configured to detect and quarantine messages containing suspicious Office documents, especially those requesting macro enablement, and to block emails with .doc.lnk attachments or links to such files. Conduct regular security awareness training for staff, emphasizing the risks associated with enabling macros and opening unexpected attachments, particularly those purporting to be telecom-related documents. Monitor network traffic for signs of C2 communication with unusual endpoints, including traffic to IP addresses associated with compromised routers or infrastructure mimicking Russian IP space. Deploy endpoint detection and response (EDR) solutions capable of identifying and blocking the execution of malicious loaders, backdoors, and scripts, including those delivered via LNK and VBScript chains. Investigate any use of public LNK creation tools such as FTPlnk_phishing within your environment, as their presence may indicate adversary simulation or active compromise. Review and harden macro execution policies across the organization, and consider disabling macros by default for all users except those with a demonstrated business need. Maintain up-to-date threat intelligence feeds and integrate indicators of compromise (IOCs) related to LuciDoor, MarsSnake, and associated loaders into your security monitoring systems.

References

The Hacker News: UnsolicitedBooker Targets Central Asian Telecoms HackMag: LuciDoor and MarsSnake Cypro: UnsolicitedBooker Campaign ESET: MarsSnake Analysis

About Rescana

Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to assess, monitor, and mitigate cyber risks across their extended supply chain. Our advanced threat intelligence and risk analytics empower security teams to proactively identify and respond to emerging threats, ensuring robust protection for critical assets and business operations. For questions or further information, we are happy to assist at ops@rescana.com.