A China-aligned cyber-espionage group dubbed "UnsolicitedBooker" has been exposed for launching a highly targeted campaign against an international organization in Saudi Arabia. Using a sophisticated phishing tactic and a newly discovered malware named MarsSnake, the group carried out multiple intrusion attempts over three years, revealing a persistent and evolving threat. The findings come from a new report by cybersecurity firm ESET, highlighting the broader scope of Chinese cyber operations across Asia, the Middle East, and Africa.
Anatomy of a Cyber Attack: Flight Tickets, Macros, and Malware
The attack campaign, first detected in March 2023 and repeated in 2024 and January 2025, relied on spear-phishing emails masquerading as flight confirmations from Saudia Airlines. The emails contained a malicious Microsoft Word attachment that purported to show a flight itinerary but instead housed a weaponized VBA macro. This macro, when executed, deployed a binary named smssdrvhost.exe—a loader for the MarsSnake backdoor.
An analysis traced the decoy document's content to a PDF publicly available on the Academia.edu platform, raising concerns about how legitimate online resources are being co-opted into state-sponsored cyber operations. Once installed, the MarsSnake malware connects to a command-and-control server (contact.decenttoy[.]top) and allows full remote access for espionage purposes.
MarsSnake and Its Siblings: The Evolving Arsenal of UnsolicitedBooker
MarsSnake joins a known roster of espionage backdoors deployed by UnsolicitedBooker, including Chinoxy, DeedRAT, Poison Ivy, and BeRAT—malware families frequently associated with Chinese threat actors. ESET researchers observed that UnsolicitedBooker shares multiple behavioral overlaps with threat clusters like Space Pirates and other unattributed operations, including one that previously deployed the Zardoor backdoor against an Islamic nonprofit in Saudi Arabia.
The sophistication of the campaign, especially its persistence over a multi-year period, suggests strategic objectives beyond mere data theft. Analysts speculate it could be linked to geopolitical interests in the Middle East, particularly given the target's regional significance and recurring selection for attack.
These campaigns represent a tactical blend of social engineering and code-level obfuscation, exploiting not only technological vulnerabilities but also institutional trust in digital communications.
Global Reach: China's Cyber Tentacles Extend Across Continents
The MarsSnake incident isn't isolated. A report also outlines coordinated campaigns by other China-linked groups, including PerplexedGoblin (APT31) and DigitalRecyclers (linked to APT15). In December 2024, PerplexedGoblin targeted a Central European government with NanoSlate, an espionage backdoor engineered for stealthy data exfiltration.
Meanwhile, DigitalRecyclers has continued attacks on EU government entities. Known since at least 2018, this group utilizes a complex VPN relay system dubbed KMA ORB and has deployed implants such as RClient, HydroRShell, and GiftBox. HydroRShell, in particular, is a notable advancement—leveraging Google's Protobuf and Mbed TLS libraries to encrypt its communications, making detection and attribution significantly harder.
"DigitalRecyclers likely operates within the Ke3chang and BackdoorDiplomacy umbrella, reflecting a constellation of Chinese cyber actors with complementary toolsets," it has been noted.
