A China-linked hacking group known as UnsolicitedBooker has been targeting a prominent international organization based in Saudi Arabia with a new and sophisticated malware strain dubbed MarsSnake, according to researchers at cybersecurity firm ESET.
The attack campaign, which has spanned three consecutive years—2023, 2024, and 2025—demonstrates the group’s persistent interest in this particular target. ESET discovered the initial breach attempts in March 2023, with renewed activity seen in early 2025.
The group’s method of entry has remained largely consistent: spear-phishing emails disguised as flight booking notifications. These deceptive emails typically include malicious Microsoft Word attachments posing as airline tickets, luring victims into executing embedded VBA macros. These macros, once activated, deploy a hidden executable named smssdrvhost.exe—a loader responsible for installing the MarsSnake backdoor.
This malware then connects to a command-and-control (C2) server located at contact.decenttoy[.]top, allowing attackers to gain long-term access to infected systems.
The fake flight documents were found to be manipulated versions of legitimate PDFs publicly available on Academia.edu, an online platform for academic research. This technique of reusing authentic content adds a layer of credibility to the phishing emails, increasing their chances of success.
ESET notes that UnsolicitedBooker appears to overlap operationally with previously identified Chinese APT groups like Space Pirates and another unattributed cluster that used the Zardoor backdoor against Islamic non-profit entities in Saudi Arabia. The hacking crew is also known for deploying other Chinese malware tools such as Chinoxy, DeedRAT, Poison Ivy, and BeRAT.
The relentless targeting of Middle Eastern, Asian, and African government bodies underlines China-aligned cyber actors’ broader geopolitical strategy. These attacks not only involve custom malware but also reveal a deep understanding of regional organizations’ operational patterns.
Broader Campaigns from China-Linked Threat Groups
UnsolicitedBooker isn’t the only Chinese threat actor in motion. ESET also uncovered operations by a separate group known as PerplexedGoblin (also tracked as APT31), which in December 2024 launched a stealthy espionage campaign against a Central European government entity using a backdoor called NanoSlate.
Meanwhile, another longstanding threat actor, DigitalRecyclers, continues to focus on European Union government targets. The group is believed to operate within the APT15 ecosystem—sharing links with Ke3chang and BackdoorDiplomacy. Since 2021, DigitalRecyclers has deployed tools like RClient, GiftBox, and the newer HydroRShell backdoor, which leverages Google Protobuf and Mbed TLS for secure communications. Their use of KMA VPN relay infrastructure helps mask their attack origins.
These findings highlight how Chinese hackers are increasingly refining their methods, weaponizing publicly available content, and coordinating efforts across regions to infiltrate critical organizations with long-term surveillance goals.
