China-linked UnsolicitedBooker APT Used New Backdoor MarsSnake in Recent Attacks
Researchers at ESET have uncovered a new threat actor, tracked as UnsolicitedBooker, that has been using a sophisticated backdoor called MarsSnake to target an international organization in Saudi Arabia. The attacks were discovered in March 2023 and again in 2024, highlighting the persistence of this China-linked Advanced Persistent Threat (APT) group.
UnsolicitedBooker has been linked to several high-profile attacks on government organizations in Asia, Africa, and the Middle East. Using spear-phishing emails with fake flight ticket lures, the group has managed to breach systems and deliver malware. Their toolkit includes a range of backdoors, including Chinoxy, DeedRAT, Poison Ivy, and BeRAT, which are commonly associated with Chinese APT groups.
According to ESET researchers, the motivation behind UnsolicitedBooker's attacks is espionage and data theft. The group has deployed custom file stealers to gather sensitive information from their targets. "We believe that the motivation of this threat actor is espionage and data theft," reads the report published by ESET.
In January 2025, UnsolicitedBooker launched another spearphishing attack against the same Saudi organization previously targeted. The phishing email, impersonating Saudia airline, came from saudia.etickets@outlook[.]com and included a fake flight ticket in a Word document, based on a PDF from Academia.edu.
Notably, researchers observed that UnsolicitedBooker reused the same ticket decoy from earlier attacks, embedding a VBA macro that drops a MarsSnake backdoor loader. The payload is saved as smssdrvhost.exe, and PDB paths confirm the MarsSnake name. The threat actors used the C&C server contact.decenttoy[.]top to coordinate their operations.
Two more phishing attempts were also detected at the same target. "The multiple attempts at compromising this organization in 2023, 2024, and 2025 indicate a strong interest by UnsolicitedBooker in this specific target," concludes the report.
The MarsSnake Backdoor: A New Player in the APT Landscape
The introduction of MarsSnake marks a new development in the world of APTs. This backdoor is shared among multiple China-linked APT groups, highlighting its significance as a potential tool for espionage and data theft.
Implications and Recommendations
The discovery of UnsolicitedBooker and their use of MarsSnake highlights the importance of staying vigilant against targeted attacks. Organizations in Asia, Africa, and the Middle East should be on high alert for spear-phishing emails with fake flight ticket lures. Implementing robust security measures, such as multi-factor authentication and regular software updates, can help prevent successful attacks.
Further research is needed to understand the motivations behind UnsolicitedBooker's actions and the full scope of their operations. As the threat landscape continues to evolve, it is essential for organizations and individuals to stay informed about emerging threats and take proactive steps to protect themselves.
Stay Safe Online
To avoid falling victim to spear-phishing attacks like UnsolicitedBooker's, follow these best practices:
- Be cautious when receiving unsolicited emails with attachments or links.
- Verify the authenticity of emails before responding or downloading attachments.
- Use multi-factor authentication to add an extra layer of security to your online accounts.
- Regularly update your software and operating system to ensure you have the latest security patches.
By staying informed and taking proactive steps, we can reduce our risk of falling victim to attacks like UnsolicitedBooker's.