Threat hunters have uncovered a sophisticated espionage campaign launched by a China-aligned threat actor known as UnsolicitedBooker, which has targeted an unnamed international organization in Saudi Arabia using a previously undocumented backdoor called MarsSnake. The cybersecurity firm ESET made this revelation after identifying the group’s intrusions, which began in March 2023 and continued into 2024.
The attacks typically employ spear-phishing emails disguised as flight tickets to infiltrate their targets. According to ESET’s latest APT Activity Report, the threat actor’s operations have predominantly focused on governmental organizations across Asia, Africa, and the Middle East. This highlights a persistent level of interest in targeting critical infrastructure and institutions in these regions, including the Kingdom of Saudi Arabia.
Notably, the MarsSnake backdoor is being utilized alongside an arsenal of other backdoors frequently employed by Chinese hacking groups, such as Chinoxy, DeedRAT, Poison Ivy, and BeRAT. ESET suggests that the operational tactics of UnsolicitedBooker bear similarities to another hacking collective identified as Space Pirates, which has also been observed launching attacks against various sectors.
In recent incidents, phishing emails have been sent posing as communications from Saudia Airlines regarding flight bookings. These emails contained Microsoft Word document attachments that, when opened, would execute a macro to install the MarsSnake backdoor. This backdoor then establishes communication with a remote command-and-control server, further reinforcing the advanced capabilities of this threat actor. The persistence of UnsolicitedBooker’s attempts reflects a strategic approach to infiltrating this Saudi entity over multiple years.