Analysis Summary

Researchers have uncovered new activities of a China-aligned threat actor named UnsolicitedBooker, which targeted an unnamed international organization in Saudi Arabia with a previously undocumented backdoor called MarsSnake. The group was first observed infiltrating the same organization in March 2023 and again in January 2025, using spear-phishing emails with fake flight tickets as lures. These emails typically contained a Microsoft Word document that, when opened, executed a VBA macro to drop and run an executable (smssdrvhost.exe) that loads the MarsSnake backdoor.

MarsSnake communicates with a remote command-and-control server (contact.decenttoy[.]top). The decoy ticket in the phishing email was modified from a publicly available PDF found on Academia.edu, a website used for sharing academic documents. UnsolicitedBooker has previously deployed other known Chinese malware such as Chinoxy, DeedRAT, Poison Ivy, and BeRAT, and it shares similarities with groups tracked as Space Pirates and another unnamed cluster that used a backdoor called Zardoor. The campaign highlights continued interest by UnsolicitedBooker in the Saudi-based organization, indicating long-term espionage objectives across Asia, Africa, and the Middle East.

Separately, researchers also reported on PerplexedGoblin (APT31), another Chinese APT that targeted a Central European government in December 2024, deploying the espionage backdoor NanoSlate.

Additionally, DigitalRecyclers, linked to APT15, continues targeting EU government entities using the KMA VPN ORB network to obfuscate traffic. This group deploys backdoors like RClient, GiftBox, and HydroRShell, the latter using Google’s Protobuf and Mbed TLS for secure communications.

The findings reflect sustained and multi-pronged Chinese cyber-espionage operations targeting governments and critical institutions worldwide.

Impact

• Unauthorized Access
• Data Exfiltration
• Cyber Espionage

Indicators of Compromise

Domain Name

• contact.decenttoy.top

Remediation

• Block all threat indicators at your respective controls.
• Search for indicators of compromise (IOCs) in your environment utilizing your respective security controls.
• Apply endpoint protection and EDR solutions to detect and block malicious backdoor activity.
• Disable or restrict execution of macros in Microsoft Office documents by default.
• Conduct user awareness training on spear-phishing and social engineering threats.
• Use sandboxing to detonate and analyze email attachments before delivery.
• Segment networks to limit lateral movement in case of compromise.
• Audit and monitor access to sensitive systems and documents regularly.
• Implement strict email filtering policies to block phishing attempts.
• Block known malicious IPs and domains at the firewall or proxy level.
• Limit use of scripting languages like VBA in enterprise environments where not required.
• Keep systems and applications up to date with security patches.
• Use application whitelisting to prevent unauthorized executables like smssdrvhost.exe.
• Employ DNS monitoring and logging to detect anomalous lookups to attacker infrastructure.