HQ/EMEAFind out how we can help your business
A China-aligned threat actor known as UnsolicitedBooker has been linked to a sustained cyber-espionage campaign targeting an international organisation in Saudi Arabia.
The multi-year operation involved the deployment of a previously undocumented backdoor referred to as MarsSnake. The campaign was uncovered by a cybersecurity firm that first observed the intrusions in March 2023 and again in early 2024.
According to reports, the group infiltrated systems using spear-phishing emails disguised as flight ticket bookings. Its known targets include governmental organisations across Asia, Africa, and the Middle East.
The attacker’s toolkit comprises several backdoors, Chinoxy, DeedRAT, Poison Ivy, and BeRAT, commonly associated with Chinese state-linked hacking groups.
Researchers also believed that the group shares overlaps with a cluster known as Space Pirates and with another unattributed group that previously deployed the Zardoor backdoor against a non-profit organisation in Saudi Arabia.
The alleged China-backed UnsolicitedBooker group uses phishing as its primary tactic for executing its cyberespionage campaign.
In the latest wave of the campaign, identified in January 2025, UnsolicitedBooker sent a phishing email purporting to be from a regional airline.
The email contained a Microsoft Word document with a decoy flight ticket adapted from a publicly available PDF found initially on an academic file-sharing platform.
Opening the document triggered a malicious macro that deployed an executable named “smssdrvhost.exe.” This loader facilitated the installation of MarsSnake, which established a connection with a remote C2 server.
The repeated targeting of the same Saudi organisation over three consecutive years underscores UnsolicitedBooker’s persistent interest in the entity.
Both MarsSnake and HydroRShell, used in the attacks, are full-featured backdoors capable of executing arbitrary commands and reading or writing files on compromised systems.
Each connects to remote servers for tasking and data exfiltration. Based on current observations, MarsSnake appears unique to UnsolicitedBooker, while HydroRShell is exclusive to the other group.
Organisations from the Middle East, especially in Saudi Arabia, should train their employees to spot phishing messages, as they are the primary attack vectors of the malicious group.
