The threat hunters have exposed the tactics of a threat actor allied to China who targeted an unknown international organization in Saudi Arabia with a previously undocumented backdoor and dubbed Marssnake.
ESET, which first discovered the intrusion of a hacking group targeting an entity in March 2023, said that the activity is using spear phishing emails to infiltrate targets of interest using flight tickets.
“Unsolicited Bookers generally send tickets as decoys, with the goal of which includes government organizations in Asia, Africa and the Middle East,” the company said in its latest APT activity report for the period from October 2024 to March 2025.
Attacks attached by threat actors are characterized by the use of backdoors such as Chinoxy, Deedirat, Poison Ivy and Berat, which are widely used in Chinese hacking crews.
Unsolicited Bookers are evaluated to share overlap with clusters tracked as space pirates and clusters tracked as space pirates, which were found to be deployed by deploying backdoor code-named zardors to Saudi Arabia’s Islamic nonprofits.
The latest campaign discovered by Slovak cybersecurity company in January 2025 included sending phishing emails from Saudi Airlines about booking flights to the same Saudi organization.
“A Microsoft Word document is attached to your email. […] ESET is based on PDFs available online on the Academia website, a platform for sharing academic research that allows for uploading PDF files, but is a revised ticket.
After launching the Ward document triggers the execution of the VBA macro and decodes and writes the executable (“smssdrvhost.exe”) to the file system.[.]top”).
“Several attempts to infringe this organization in 2023, 2024 and 2025 demonstrate the strong interest of unsolicited bookers in this particular target,” ESET said.
This disclosure comes as another Chinese threat actor who was tracked in December 2024 as Perplexedgoblin (aka APT31), who targeted central European government agencies to deploy a backdoor for spying, known as Nanoslate.
ESET said Digital Recyclers identified ongoing attacks on European Union government agencies, leveraging KMA VPN Operational Relay Box (ORB) networks to hide network traffic and deployed RCLIENT, HASTORSHELL and GIFTBOX backdoors.
Digital Recyclers was first detected by the company in 2021, but is believed to have been active since at least 2018.
“Digital Recyclers, which are likely linked to Ke3chang and Backdoordiplomacy, operate within the APT15 galaxy,” says ESET. “They will deploy RCLIANT Implants, a variant of Project KMA Stealer. In September 2023, the group introduced a new backdoor Hydrorshell, which uses Google’s Protobuf and MBed TLS for C&C communications.”
Source link
