Follow on X RSS Feed
Malware

UnsolicitedBooker Deploys MarsSnake Against Telecom Providers

Cybersec Sentinel

5 min read
UnsolicitedBooker Deploys MarsSnake Against Telecom Providers

Threat Group – UnsolicitedBooker
Threat Type – Backdoor / Advanced Persistent Threat
Exploited Vulnerabilities – CVE-2018-0802
Malware Used – MarsSnake, MarsSnakeLoader, LuciDoor, LuciLoad
Threat Score – 8.7 🔥 Critical – State aligned espionage platform with wormable capability, decentralised IPFS command fallback, telecommunications targeting, long term persistence and advanced evasion techniques
Last Threat Observation – 24 February 2026

Overview

The MarsSnake backdoor represents a significant escalation in China aligned cyber espionage activity targeting Central Asia and the Middle East. Deployed by the advanced persistent threat cluster tracked as UnsolicitedBooker, MarsSnake has evolved from a focused espionage implant used against Saudi governmental and international entities into a modular and resilient backdoor platform targeting telecommunications providers in Kyrgyzstan and Tajikistan.

Public reporting links UnsolicitedBooker activity back to at least March 2023, with expanded documentation through 2025 and early 2026. Earlier campaigns concentrated on Saudi Arabia and regional organisations. However, activity observed between September 2025 and February 2026 demonstrates a strategic pivot toward Central Asian telecommunications infrastructure.

MarsSnake is written in C++ and structured as a multi stage toolset. It combines encrypted payload delivery, custom loader execution, DLL side loading, COM hijacking persistence, decentralised command channels and limited worm like propagation capability.

The targeting of telecommunications providers significantly increases strategic impact. Access to telecom networks enables upstream communications interception, long term intelligence collection and regional communications mapping.

Key Details

Delivery Method

Spear phishing emails using travel themed decoys, malicious Microsoft Office documents, Windows shortcut files disguised as Word documents, template injection exploiting CVE-2018-0802, and DLL side loading through legitimate Microsoft executables.

Target

Government entities, academic institutions, international organisations and telecommunications providers in Saudi Arabia, Kyrgyzstan, Tajikistan and broader Central Asia.

Functions

  • System metadata harvesting including hostnames, user accounts, operating system information and network configuration
  • Arbitrary command execution via cmd.exe providing remote shell capability
  • File system access enabling read, write, move and delete operations
  • Secondary payload deployment including LuciDoor and in some cases Morpheus ransomware
  • External storage scanning and infection enabling limited worm like propagation

Obfuscation

  • Encrypted strings for API calls, registry paths and command servers
  • Runtime API resolution through hashing
  • Control flow flattening and junk code insertion
  • Anti debugging and sandbox detection logic
  • DLL side loading via signed Microsoft binaries

Attack Vectors

Spear Phishing Campaigns

UnsolicitedBooker relies heavily on targeted spear phishing emails. Early campaigns used malicious Word documents impersonating Saudia Airlines flight tickets. These documents either contained macros or leveraged remote template injection.

In campaigns targeting Kyrgyz telecommunications operators, decoy documents referenced SIM card tariffs and telecommunications administrative themes relevant to local operations.

Windows Shortcut Execution Chain

A key refinement observed in 2026 is the use of Windows shortcut files with names resembling document.doc.lnk. These appear as Word documents but execute commands when opened.

The execution flow typically involves:

  1. LNK file launches cmd.exe
  2. Batch script executes
  3. Visual Basic Script such as help.log runs
  4. MarsSnake payload is decrypted and executed

Tooling overlap with publicly available FTPlnk phishing utilities has been observed in some campaigns.

Exploitation of CVE-2018-0802

UnsolicitedBooker continues to exploit CVE-2018-0802, a memory corruption flaw within Microsoft Office Equation Editor. Through remote template injection, attackers achieve remote code execution without requiring macro enablement on unpatched systems.

The continued exploitation of this legacy vulnerability demonstrates awareness of slow patch cycles within regional infrastructure and government environments.

Loader and Persistence

The MarsSnakeLoader component is commonly saved as smssdrvhost.exe. The name mimics legitimate Windows processes to evade detection.

Loader responsibilities include:

  • Virtual machine and debugger detection
  • AES CBC decryption of embedded payload
  • Registry modification and COM hijacking for persistence

Embedded PDB paths such as D:\yu_project\MarsSnake\bin_shellcode\load_http_64.pdb confirm structured internal development processes.

DLL Side Loading

In Kyrgyzstan focused campaigns, attackers used the legitimate Microsoft executable Plasrv.exe to side load a malicious PDH.DLL file from user directories including:

C:\Users\admin\AppData\Local\Microsoft\PlayReady\

This technique enables malicious execution under trusted signed binaries, bypassing basic application control mechanisms.

Command and Control Infrastructure

DNS and HTTP Based Infrastructure

Observed command servers include domains such as contact.decenttoy[.]top and button.gdakdbysw[.]xyz. Shared infrastructure has been noted between MarsSnake and LuciDoor operations.

IPFS Fallback Communication

MarsSnake incorporates fallback communication using InterPlanetary File System nodes. IPFS is a distributed peer to peer file system that complicates takedown efforts. If traditional DNS or HTTP command channels are blocked, the malware pivots to decentralised nodes.

Russian Infrastructure Mimicry

Domains mimicking Russian services such as mail.ru.cdhgwnjjcw[.]xyz have been observed. This likely serves attribution confusion and geopolitical misdirection.

Compromised MikroTik Routers

Command infrastructure has been identified on compromised MikroTik routers exhibiting outdated PolarSSL fingerprints on port 443. Leveraging compromised networking hardware allows malicious traffic to blend into legitimate administrative flows.

Webhook Tracking

The service webhook[.]site has been used for tracking pixel style beacons to confirm document execution before deploying full payload stages.

Lateral Movement and Propagation

The 2026 MarsSnake variant includes logic for scanning and infecting removable storage devices. When an infected USB device is connected to another host, LNK based triggers can execute the payload.

While not a fully autonomous network worm in all cases, this capability introduces air gap traversal risk within segmented environments, particularly within telecommunications and governmental sectors.

Known Indicators of Compromise

File Hashes SHA256

01f28cefdcf3940c19efd7a0446aa0e56c56bc7c955774c94d6d469fca627a4e
e6a28b3833384018bad60043c82bb4cfcce86a3418ece86ea0d71c7aac9ca22b
2d1c235ddc76d427c48c39c22e6dc50141f09734270eaf01778713f987e99cc4

Domains

contact[.]decenttoy[.]top
button[.]gdakdbysw[.]xyz
mail[.]ru[.]cdhgwnjjcw[.]xyz

URLs

hxxps[:]//webhook[.]site/

IP Addresses

93[.]157[.]106[.]75
81[.]70[.]28[.]71

Filenames

smssdrvhost.exe
Perfrom.exe
PDH.DLL
Plasrv.exe

Mitigation and Prevention

Mitigation Checklist

User Awareness
Conduct phishing simulations that include LNK disguised documents and telecom themed decoys.

Email Filtering
Block LNK attachments at gateway level. Enable attachment sandboxing for Office and shortcut files.

Antivirus Protection
Deploy EDR or XDR solutions with behavioural detection focused on DLL side loading and COM hijacking.

Two Factor Authentication
Enforce strong multi factor authentication across administrative and privileged accounts.

Log Monitoring
Alert when cmd.exe or powershell.exe is spawned by LNK files. Monitor legitimate Microsoft binaries loading DLLs from user writable directories.

Regular Updates
Ensure all Microsoft Office installations are patched against CVE-2018-0802. Audit for unsupported legacy versions.

External Media Controls
Restrict USB device usage in sensitive environments. Enable device control logging and blocking.

Network Monitoring
Inspect outbound traffic for IPFS related protocols. Monitor for connections to known suspicious infrastructure and compromised router fingerprints.

Risk Assessment

MarsSnake warrants a critical threat rating due to its state aligned attribution, telecommunications targeting, decentralised command infrastructure and persistence mechanisms.

The compromise of telecom providers enables upstream interception of SMS, voice and data traffic. It facilitates long term intelligence collection and strategic regional monitoring.

The use of IPFS fallback channels increases campaign resilience and complicates infrastructure takedown. The continued exploitation of legacy vulnerabilities demonstrates pragmatic targeting of weak patch management environments.

The concurrent deployment of LuciDoor indicates tool rotation strategies designed to evade regional detection signatures.

Given the geopolitical importance of Kyrgyzstan and Tajikistan within major economic corridors, continued targeting activity is highly probable.

Conclusion

The MarsSnake backdoor reflects the continued evolution of China aligned espionage operations toward resilient, modular and decentralised platforms.

Organisations within telecommunications, government and critical infrastructure sectors across Central Asia and the Middle East should treat MarsSnake as an active and ongoing threat.

Defensive posture must prioritise behavioural monitoring, LNK execution control, DLL side loading detection, IPFS traffic inspection and rigorous patch management.

The strategic pivot toward telecommunications infrastructure suggests long term intelligence objectives rather than opportunistic intrusion. Proactive threat hunting aligned with the indicators listed above is strongly recommended.

Sources

The Hacker News - UnsolicitedBooker Targets Central Asian Telecoms With LuciDoor and MarsSnake Backdoors - https://thehackernews.com/2026/02/unsolicitedbooker-targets-central-asian.html

Security Affairs - China linked UnsolicitedBooker used a new backdoor, MarsSnake, to target an international organization in Saudi Arabia - https://securityaffairs.com/178105/malware/china-linked-unsolicitedbooker-used-new-backdoor-marssnake.html

SISA - MarsSnake malware linked to Chinese cyber espionage campaign targeting Saudi Arabia - https://www.sisainfosec.com/weekly-threat-watch/marssnake-malware-linked-to-chinese-cyber-espionage-campaign-targeting-saudi-arabia/