A technical analysis by Positive Technologies reported that the UnsolicitedBooker cluster deployed two backdoors, LuciDoor and MarsSnake, against telecommunications companies in Kyrgyzstan and Tajikistan between September 2025 and January 2026.
KEY FACTS
- Incident Deployment of LuciDoor and MarsSnake backdoors
- Targets Telecommunications companies in Kyrgyzstan and Tajikistan
- Initial vector Phishing emails with malicious Microsoft Office documents or links
- Timeline Activity observed from September 2025 through January 2026
- Loaders LuciLoad and MarsSnakeLoader used to deliver backdoors
The attacks began with phishing messages that delivered a Microsoft Office document prompting recipients to enable macros. When enabled, the macro dropped a C++ loader named LuciLoad which installed LuciDoor. A later campaign used MarsSnakeLoader to deploy MarsSnake.
LuciDoor is written in C++ and can collect system information, encrypt and exfiltrate data, execute commands via cmd.exe, and perform file operations. MarsSnake can harvest system metadata, run arbitrary commands, and read or write files on disk.
In other observed variants a Windows LNK shortcut launched a batch script and a Visual Basic script to start MarsSnake without a loader. Some decoy files matched indicators of a publicly available pentesting tool. In at least one incident attackers used a compromised router as a command and control server.
The cluster has shifted between the two backdoors over time and shows tactical overlaps with other actor clusters. The activity was previously linked to an attack on a Saudi Arabian organization and the actor is assessed to have been active since at least March 2023.
WHY IT MATTERS
The use of multiple loaders and execution methods against telecom firms raises the risk of data theft and service disruption for regional operators. Improving email defenses and restricting macro execution can reduce exposure to similar intrusion methods.