Cybersecurity researchers are tracking a threat activity cluster, dubbed UnsolicitedBooker, that has been observed targeting telecommunications companies in Kyrgyzstan and Tajikistan. This marks a notable shift from previous attacks attributed to the group, which were primarily aimed at Saudi Arabian entities.
The UnsolicitedBooker group is employing two distinct backdoors, codenamed LuciDoor and MarsSnake, in its recent campaigns, according to a report from Positive Technologies. These advanced persistent threats highlight evolving tactics within the cybersecurity landscape, particularly concerning state-aligned actors and their targets.
UnsolicitedBooker’s Shifting Targets and Tactics
UnsolicitedBooker was first identified by ESET in May 2025, when it was linked to a cyberattack against an unnamed international organization in Saudi Arabia utilizing the MarsSnake backdoor. The group is believed to have been active since at least March 2023, with a historical focus on organizations across Asia, Africa, and the Middle East.
Further analysis by security researchers has revealed tactical overlaps between UnsolicitedBooker and other threat actor clusters, including Space Pirates and an as-yet-unattributed campaign that also targeted Saudi Arabia with a backdoor known as Zardoor. These connections suggest a potential for collaboration or shared tooling among certain threat groups.
The latest documented attacks by UnsolicitedBooker occurred in late September 2025, targeting Kyrgyz organizations through phishing emails. These emails contained Microsoft Office documents that, when opened, prompted recipients to “Enable Content” to execute a malicious macro. While the document displayed a decoy telecom provider’s tariff plan, the underlying macro stealthily deployed a C++ malware loader named LuciLoad, which in turn delivered the LuciDoor backdoor.
A similar modus operandi was observed in late November 2025, where the threat group used a different loader, codenamed MarsSnakeLoader, to deploy the MarsSnake backdoor. More recently, in January 2026, UnsolicitedBooker continued to leverage phishing emails as an initial access vector, this time targeting companies in Tajikistan. Although the overall attack chain remained consistent, the specific attack method involved embedding links to decoy documents rather than directly attaching them.
LuciDoor and MarsSnake: Capabilities and Deployment
The LuciDoor backdoor, written in C++, is designed to establish communication with a command-and-control (C2) server. It gathers basic system information and exfiltrates this data to the C2 server in an encrypted format. Subsequently, it parses responses from the server to execute commands using cmd.exe, write files to the compromised system, and upload additional files.
Similarly, the MarsSnake backdoor grants attackers the capability to harvest system metadata, execute arbitrary commands, and read or write any file on the disk. Positive Technologies also noted evidence of MarsSnake being used in attacks targeting China. In these instances, the attack chain began with a Windows shortcut file disguised as a Microsoft Word document (.doc.lnk). This shortcut initiated the execution of a batch script, which then launched a Visual Basic Script that deployed MarsSnake without requiring a separate loader component.
Researchers believe the decoy LNK file used in these attacks is based on a publicly available pentesting tool called FTPlnk_phishing, given identical LNK file creation times and Machine ID indicators. Notably, the Mustang Panda group was observed using a similar LNK file in attacks targeting Thailand in 2022, suggesting potential overlap in TTPs (tactics, techniques, and procedures).
Positive Technologies highlighted that UnsolicitedBooker has utilized “several unique and rare instruments of Chinese origin.” The report indicates a strategic shift in the group’s tooling, stating, “Interestingly, at the very beginning, the group used a backdoor we dubbed LuciDoor, but later switched to the MarsSnake backdoor. However, in 2026, the group made a U-turn and resumed using LuciDoor.”
In one observed case, attackers reportedly used a compromised router as a C2 server, and their infrastructure in some attacks mimicked that of Russia, adding another layer of complexity to attribution and defense.
Other Threat Activity Targeting Russia
The revelations about UnsolicitedBooker emerge amid separate reports of other threat actors targeting Russian entities. A previously unknown threat actor, referred to as PseudoSticky, has been deliberately mimicking the tactics of the pro-Ukrainian hacking group Sticky Werewolf. This new group, active since November 2025, has targeted Russian organizations in the retail, construction, and research sectors with malware such as RemcosRAT and DarkTrack RAT for data theft and remote control.
Indications suggest that PseudoSticky may have leveraged large language models (LLMs) in developing their attack chains, which have been observed deploying DarkTrack RAT via PureCrypter. However, Russian security vendor F6 notes that differences in infrastructure, malware implementation, and individual tactical elements suggest that this mimicry is deliberate rather than indicating a direct connection between the groups.
Russian entities have also been targeted by the Cloud Atlas hacking group. This group has employed phishing emails containing malicious Word documents to distribute custom malware known as VBShower and VBCloud. When opened, these malicious documents exploit the CVE-2018-0802 vulnerability to load a remote template from a C2 server, subsequently downloading the malicious VBShower file via alternate data streams.
Outlook and Future Considerations
The evolving threat landscape, with groups like UnsolicitedBooker shifting targets and employing sophisticated tooling, underscores the continuous need for vigilance in the telecommunications sector and beyond. The targeting of critical infrastructure, such as telecom providers, presents a significant risk, potentially impacting national security and economic stability.
As threat actors refine their methods and exploit new vulnerabilities, organizations must prioritize robust cybersecurity measures, including advanced threat detection, regular security awareness training, and incident response planning. The continued observation of masked infrastructure and the potential use of AI in attack development suggest that future cyber threats will likely become even more complex and challenging to counter.
Moving forward, the cybersecurity community will be closely watching for further shifts in UnsolicitedBooker’s targeting and the effectiveness of defensive measures against the LuciDoor and MarsSnake backdoors. The ongoing investigation into PseudoSticky’s use of mimicry and LLMs also warrants close attention, as it could signal new trends in APT (Advanced Persistent Threat) operations.