UnsolicitedBooker's Strategic Shift: Targeting Central Asian Telecoms with Advanced Backdoors
Executive Summary
In late 2025 and early 2026, the China-aligned threat actor UnsolicitedBooker targeted telecommunications companies in Kyrgyzstan and Tajikistan. The group employed sophisticated phishing campaigns to deploy two distinct backdoors, LuciDoor and MarsSnake, enabling unauthorized access and data exfiltration. These attacks signify a strategic shift from UnsolicitedBooker's previous focus on Saudi Arabian entities to Central Asian infrastructure.
This incident underscores the evolving tactics of state-sponsored cyber-espionage groups and highlights the critical need for enhanced cybersecurity measures within the telecommunications sector. The use of rare tools of Chinese origin and the targeting of critical infrastructure emphasize the importance of vigilance and proactive defense strategies.
Why This Matters Now
The recent targeting of Central Asian telecommunications by UnsolicitedBooker highlights the urgent need for enhanced cybersecurity measures in critical infrastructure sectors. The use of sophisticated backdoors and phishing tactics underscores the evolving threat landscape and the importance of proactive defense strategies.
Attack Path Analysis
UnsolicitedBooker initiated the attack by sending phishing emails with malicious Microsoft Office documents to telecom companies in Kyrgyzstan and Tajikistan. Upon enabling macros, these documents deployed backdoors like LuciDoor and MarsSnake, allowing attackers to execute commands and exfiltrate data. The backdoors established encrypted communication with command-and-control servers, enabling remote control and data theft. The attackers maintained persistence through scheduled tasks and registry modifications, ensuring continued access to compromised systems.
Kill Chain Progression
Initial Compromise
Description
Attackers sent phishing emails containing malicious Microsoft Office documents to employees of telecom companies. When recipients enabled macros, the documents executed embedded VBA macros that deployed malware loaders, leading to the installation of backdoors like LuciDoor and MarsSnake.
MITRE ATT&CK® Techniques
Spearphishing Attachment
Malicious File
Windows Command Shell
Ingress Tool Transfer
Web Protocols
Data from Local System
Exfiltration Over C2 Channel
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure all system components and software are protected from known vulnerabilities by installing applicable vendor-supplied security patches.
Control ID: 6.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA Zero Trust Maturity Model 2.0 – Implement strong authentication mechanisms
Control ID: Identity Pillar
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Telecommunications
Direct targeting by UnsolicitedBooker APT using LuciDoor and MarsSnake backdoors against Central Asian telecoms requires enhanced east-west traffic security and encrypted communications.
Government Administration
State-sponsored APT threats targeting regional telecommunications infrastructure pose risks to government communications requiring zero trust segmentation and multicloud visibility controls.
Information Technology/IT
Chinese-origin malware exploiting Office macros and compromised routers necessitates enhanced egress security, threat detection capabilities, and inline IPS protection measures.
Computer/Network Security
Advanced persistent threats using rare Chinese tools and mimicking tactics require improved anomaly detection, cloud firewall protections, and comprehensive incident response capabilities.
Sources
- UnsolicitedBooker Targets Central Asian Telecoms With LuciDoor and MarsSnake Backdoorshttps://thehackernews.com/2026/02/unsolicitedbooker-targets-central-asian.htmlVerified
- Poisonous Mars, or How LuciDoor Knocks on the Doors of the CIShttps://ptsecurity.com/research/pt-esc-threat-intelligence/poisonous-mars-or-how-lucidoor-knocks-on-the-doors-of-the-cis/Verified
- Chinese Hackers Deploy MarsSnake Backdoor in Multi-Year Attack on Saudi Organizationhttps://thehackernews.com/2025/05/chinese-hackers-deploy-marssnake.htmlVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and identity-aware policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: While Aviatrix CNSF may not prevent the initial phishing compromise, it could limit the malware's ability to communicate with other systems, reducing the attacker's control.
Control: Zero Trust Segmentation
Mitigation: Aviatrix Zero Trust Segmentation could likely limit the attacker's ability to escalate privileges by enforcing strict access controls based on identity and context.
Control: East-West Traffic Security
Mitigation: Aviatrix East-West Traffic Security could likely constrain lateral movement by monitoring and controlling internal traffic between workloads.
Control: Multicloud Visibility & Control
Mitigation: Aviatrix Multicloud Visibility & Control could likely detect and limit unauthorized command-and-control communications by providing comprehensive monitoring across cloud environments.
Control: Egress Security & Policy Enforcement
Mitigation: Aviatrix Egress Security & Policy Enforcement could likely restrict unauthorized data exfiltration by controlling and monitoring outbound traffic.
Aviatrix Zero Trust CNSF could likely reduce the overall impact by limiting the attacker's ability to move laterally and exfiltrate data, thereby minimizing operational disruptions and data loss.
Impact at a Glance
Affected Business Functions
- Network Operations
- Customer Data Management
- Billing Systems
- Service Provisioning
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of customer personal information, call records, and internal operational data.
Recommended Actions
Key Takeaways & Next Steps
- • Implement advanced email filtering and user training to prevent phishing attacks.
- • Deploy endpoint detection and response solutions to identify and block malicious macros and payloads.
- • Enforce least privilege access controls and monitor for unusual privilege escalation activities.
- • Utilize network segmentation and east-west traffic monitoring to detect and prevent lateral movement.
- • Establish comprehensive logging and monitoring to detect and respond to command-and-control communications and data exfiltration attempts.
