China’s UnsolicitedBooker Strikes Again: MarsSnake Backdoor Slithers into Saudi Targets!

Hot Take:

Looks like Mars isn’t just for rovers anymore; now it’s got its very own snake slithering through cyber defenses. UnsolicitedBooker has managed to turn spear-phishing into an art form, and they’re not even charging for the gallery tour! But seriously, if your flight tickets look too good to be true, they probably come with a free malware souvenir. Watch out, because the only thing scarier than a snake on a plane is a MarsSnake in your mainframe!

Key Points:

• China-linked UnsolicitedBooker APT used a new backdoor, MarsSnake, to target a Saudi Arabian organization.
• The group relies on spear-phishing emails with fake flight ticket lures to infiltrate systems.
• UnsolicitedBooker’s toolkit includes other backdoors like Chinoxy, DeedRAT, and Poison Ivy.
• The repeated attacks suggest a focus on espionage and data theft.
• MarsSnake was delivered via a VBA macro in a Word document, leading to multiple attacks over several years.

Phishing for Trouble

If you’re daydreaming about a vacation, UnsolicitedBooker might just make it a nightmare. This China-linked APT, with a penchant for spear-phishing, has been targeting an international organization in Saudi Arabia with a new backdoor called MarsSnake. Researchers at ESET have revealed that these cyber shenanigans date back to March 2023, with fresh episodes in 2024 and 2025. Forget about frequent flyer miles—it seems like frequent phisher status is the real goal here.

A Toolkit to Die For

UnsolicitedBooker isn’t just a one-trick pony. No, they’ve got a whole circus act of malware, including favorites like Chinoxy, DeedRAT, Poison Ivy, and BeRAT—all sharing the stage with the new headliner, MarsSnake. With a name like that, you’d expect a sci-fi thriller, but instead, it’s a cyber espionage drama targeting government organizations across Asia, Africa, and the Middle East. It’s like a geopolitical game of capture the flag, but with less running and more clicking.

Snake Charmer or Data Farmer?

So what’s the motive behind these digital antics? Well, espionage and data theft are the prime suspects. UnsolicitedBooker is all about getting the dirt—without the shovels, of course. Their choice of weapon? Spear-phishing emails disguised as flight tickets. It’s a classic bait-and-switch, except instead of a relaxing getaway, you get a malware-infested stay-cation. And who wouldn’t want a souvenir like MarsSnake slithering through their system?

Return of the Phish

Just when the Saudi organization thought it was safe to check their email again, UnsolicitedBooker struck back in January 2025. This time, they came armed with a phishing email impersonating Saudia airline. The bait? A fake flight ticket in a Word document, complete with a malicious VBA macro ready to drop the MarsSnake backdoor. Talk about a travel deal gone wrong! The persistent attacks over the years suggest that UnsolicitedBooker is like a dog with a bone, refusing to let go of their prized target.

The Snake’s Den

Once the MarsSnake slinks its way into a system, it gets comfy with a C&C server at contact.decenttoy[.]top. Sounds innocent enough, but don’t be fooled—it’s where the magic (or rather, the mischief) happens. The repeated phishing attempts in 2023, 2024, and 2025 show UnsolicitedBooker’s unwavering determination to worm their way into this specific target. It’s like watching a cyber soap opera, except the plot revolves around espionage and malware instead of love triangles and secret twins.

So, next time you receive an email offering you a free flight, take a moment to check if it’s from a reputable source—unless you enjoy the thrill of a cyber snake pit. Stay safe, and remember: When it comes to cybersecurity, trust no one—not even that helpful email about your dream vacation.