A newly identified Chinese threat actor, codenamed UnsolicitedBooker, has been linked to a sophisticated cyberattack campaign targeting an international organization in Saudi Arabia. According to cybersecurity firm ESET, the group used a previously unknown backdoor dubbed MarsSnake to infiltrate the entity via spear-phishing emails.
UnsolicitedBooker first came under ESET’s radar in March 2023 and reappeared in early 2025 with a fresh wave of intrusions. The group’s primary method of compromise involves spear-phishing emails containing malicious Microsoft Word documents. These emails often impersonate legitimate sources, such as Saudia Airlines, and use flight ticket decoys to lure victims.
In the latest campaign observed in January 2025, attackers sent phishing emails to a Saudi-based international organization. Attached was a Word document masquerading as a flight itinerary. The content was derived from a publicly available PDF file on the Academia website, which hosts academic research. Once opened, the document executed a VBA macro that dropped and ran a malicious file named smssdrvhost.exe. This executable acted as a loader for MarsSnake, the newly discovered backdoor.
MarsSnake then established contact with a remote command-and-control (C2) server hosted at contact.decenttoy[.]top, allowing the attackers to remotely control the infected system.
ESET stated, “The multiple attempts at compromising this organization in 2023, 2024, and 2025 indicate a strong interest by UnsolicitedBooker in this specific target.”
Links to Other Chinese Hacking Groups
The tactics and malware employed by UnsolicitedBooker show strong similarities with tools used by known Chinese threat actors. The group has used a range of backdoors like Chinoxy, DeedRAT, Poison Ivy, and BeRAT—all of which are staples among China-aligned cyber-espionage groups.
UnsolicitedBooker is believed to overlap with a cluster called Space Pirates and an unnamed activity group that deployed the Zardoor backdoor in earlier attacks targeting an Islamic nonprofit in Saudi Arabia.
ESET’s findings indicate a sustained cyber-espionage campaign, suggesting strategic interest in Middle Eastern geopolitical or organizational intelligence. Targets extend beyond the Middle East, including governmental organizations across Asia and Africa, further reinforcing UnsolicitedBooker’s broad operational scope.
Broader Chinese Cyber Espionage Activities
The report also highlights recent activity by PerplexedGoblin, another Chinese threat actor known as APT31. In December 2024, this group reportedly targeted a Central European government and deployed a sophisticated backdoor called NanoSlate for espionage.
Meanwhile, DigitalRecyclers, a group possibly linked to APT15, Ke3chang, and BackdoorDiplomacy, continues its attacks on EU government entities. The group uses the KMA VPN Operational Relay Box (ORB) network to hide its origin and has deployed multiple backdoors, including RClient, HydroRShell, and GiftBox.
HydroRShell, introduced in September 2023, is particularly notable. It uses Google’s Protobuf and Mbed TLS for encrypted communications with C2 infrastructure. RClient, on the other hand, is a variant of the Project KMA stealer, further enhancing the group’s espionage capabilities.
DigitalRecyclers has been active since at least 2018, although ESET only detected them in 2021. Their long-term persistence and evolving toolset highlight how Chinese cyber actors continuously refine their tactics to bypass detection and maintain long-term access to strategic systems.
