A cluster of threat activity known as UnsolicitedBooker has been observed targeting telecommunications companies in Kyrgyzstan and Tajikistan, marking a change from previous attacks targeting Saudi companies.
According to a report published last week by Positive Technologies, the attack involved the deployment of two different backdoors, codenamed LuciDoor and MarsSnake.
“The group used some unique and unusual instruments of Chinese origin,” researchers Alexander Badaev and Maxim Shamanov said.
UnsolicitedBooker was first documented by ESET in May 2025, when Chinese-aligned attackers used a backdoor called MarsSnake to launch a cyberattack targeting an anonymous international organization in Saudi Arabia. The group is assessed to have been active since at least March 2023 and has a history of targeting organizations in Asia, Africa, and the Middle East.
Further analysis of this threat actor revealed tactical overlap with two other clusters, including Space Pirates and an as-yet-unexplained campaign targeting Saudi Arabia using another backdoor called Zardoor.
The latest in a series of attacks documented by a Russian cybersecurity vendor targeted organizations in Kyrgyzstan in late September 2025, with phishing emails containing Microsoft Office documents. The phishing email instructed recipients to “enable content” in order to run malicious macros when opened.
Although the document displays the victim’s telecommunications provider’s pricing plan, the macro secretly drops a C++ malware loader called LuciLoad, which delivers LuciDoor. Another attack observed in late November 2025 employed the same technique, only this time a different loader codenamed MarsSnakeLoader was used to deploy MarsSnake.
As recently as January 2026, UnsolicitedBooker allegedly used phishing emails as a vector to target businesses in Tajikistan. The overall attack chain is the same, but instead of being attached directly to the message, the link to the decoy document is embedded.
Written in C++, LuciDoor establishes communication with a command and control (C2) server, collects basic system information, and exfiltrates the data to the server in encrypted form. It then parses the response sent by the server, executes commands using cmd.exe, writes files to the system, and uploads files.
MarsSnake similarly allows attackers to collect system metadata, execute arbitrary commands, and read and write arbitrary files on disk.
Positive Technologies said it also found evidence that the Mars Snake was used in attacks targeting China. The starting point is a Windows shortcut that pretends to be a Microsoft Word document (*.doc.lnk). This triggers the execution of a batch script that launches the Visual Basic script and starts MarsSnake without the loader component.
The decoy file appears to be based on an LNK file associated with a publicly available penetration testing tool called FTPlnk_phishing, as the creation time and machine ID indicator of the LNK file are identical. It is worth noting that similar LNK files were used by the Mustang Panda group in attacks targeting Thailand in 2022.
“In the attack, the group used unusual tools of Chinese origin,” Positive Technologies said. “Interestingly, the group initially used a backdoor they named LuciDoor, but later switched to the MarsSnake backdoor. However, in 2026, the group made a U-turn and resumed using LuciDoor.”
“Furthermore, in at least one case, we observed that attackers were using hacked routers as C2 servers, and in some attacks their infrastructure mimicked Russian infrastructure.”
PseudoSticky and Cloud Atlas target Russia
This disclosure was made by a previously unknown attacker, intentionally copying the tactics of a pro-Ukrainian hacker group called Sticky Werewolf (also known as Angry Likho, MimiStick, and PhaseShifters), using malware such as RemcosRAT and DarkTrack RAT to attack Russian organizations in the retail, construction, and research sectors with the goal of comprehensive data theft and remote control.
This new group, called PseudoSticky, has been active since November 2025. Victims are usually infected with phishing emails containing malicious attachments that lead to Trojan deployment. There are indications that threat actors are relying on large-scale language models (LLMs) to develop attack chains that drop DarkTrack RATs via PureCrypter.
Russian security vendor F6 said: “More detailed analysis reveals differences in infrastructure, malware implementation, and individual tactical elements, leading us to infer that there is no direct link between the groups, but rather a deliberate imitation.”
Russian companies have also been targeted by another hacker group called Cloud Atlas, which uses phishing emails containing malicious Word documents to distribute custom malware known as VBShower and VBCloud.
“When a malicious document is opened, a remote template specified in one of the document streams is loaded from the C2,” says cybersecurity firm Solar. “This template exploits the CVE-2018-0802 vulnerability. This is followed by downloading a malicious file using an alternate stream, namely VBShower.”
Source link
