THE threat activity cluster known as UnsolicitedBooker has been observed targeting telecommunications companies in Kyrgyzstan and Tajikistan, marking a shift from prior attacks aimed at Saudi Arabian entities. The attacks involve the deployment of two distinct backdoors codenamed LuciDoor and MarsSnake, according to Positive Technologies.
UnsolicitedBooker was first documented by ESET in May 2025, attributing the China-aligned threat actor to a cyber attack targeting an unnamed international organisation in Saudi Arabia with a backdoor dubbed MarsSnake. The group has shown a history of targeting organisations in Asia, Africa and the Middle East and has carried out phishing-led campaigns in late 2025, with subsequent attempts in January 2026 leveraging decoy documents to deliver the backdoors.
LuciDoor is written in C++, establishes communication with a C2 server, collects basic system information, and exfiltrates data in encrypted form, while MarsSnake allows attackers to harvest system metadata and execute commands, including reading or writing files on disk.