UnsolicitedBooker APT Targets Central Asian Telecoms

ESET researchers published new findings on UnsolicitedBooker, a China-aligned cyber espionage group that has shifted its targeting from Saudi Arabia to telecommunications companies in Central Asia. The campaign deploys two C++ backdoors—LuciDoor and MarsSnake—through macro-enabled phishing documents, with compromised routers serving as command-and-control infrastructure.

The group's pivot to Kyrgyzstan and Tajikistan represents a significant expansion of Chinese intelligence collection efforts in a region where geopolitical influence remains contested. Telecom providers make attractive targets because access to communications infrastructure enables surveillance of government officials, business leaders, and citizens.

Campaign Timeline

According to ESET's research, UnsolicitedBooker has been active since at least March 2023. The group first appeared targeting Saudi Arabian organizations in May 2025. By late September 2025, operations shifted to Kyrgyzstan, followed by attacks on Tajikistan in January 2026.

The geographic progression suggests deliberate expansion rather than opportunistic targeting. Central Asian nations maintain complex relationships with both China and Russia, making intelligence collection in this region strategically valuable.

Attack Chain

UnsolicitedBooker campaigns follow a consistent pattern:

1. Phishing emails deliver Microsoft Office documents
2. Documents prompt users to "Enable Content" to view supposedly protected content
3. Malicious macros execute, dropping either LuciLoad or MarsSnakeLoader
4. Loaders deploy the primary backdoor (LuciDoor or MarsSnake)
5. Backdoors establish C2 communication through compromised routers

In some observed attacks, LNK files masquerading as Word documents replaced the macro-enabled Office docs. The group adapts its initial access techniques based on target defenses while maintaining the same post-exploitation toolkit.

Backdoor Capabilities

LuciDoor establishes encrypted communication with C2 servers, collects system information, and exfiltrates data. It parses server responses to execute commands via cmd.exe and manage files on compromised systems. The malware's name derives from its use of the LuciLoad dropper.

MarsSnake provides similar functionality—system metadata harvesting, arbitrary command execution, and file read/write operations. Despite having different loaders (MarsSnakeLoader), both backdoors serve essentially the same operational purpose: persistent access for intelligence collection.

Interestingly, after initially switching from LuciDoor to MarsSnake, the group returned to deploying LuciDoor in 2026. This suggests either parallel development teams or tactical decisions based on detection rates across different malware families.

Attribution Confidence

ESET assesses with high confidence that UnsolicitedBooker aligns with Chinese state interests. This assessment joins prior research on LongNosedGoblin, another China-aligned APT focused on policy espionage operations. The assessment draws from:

• Shared tooling with known China-affiliated groups (Chinoxy, Deed RAT, Poison Ivy, BeRAT)
• Victimology patterns matching Chinese intelligence priorities
• Tactical methodologies consistent with Chinese APT operations
• Historical targeting of Belt and Road Initiative partner nations

The group's victim list spans Algeria, Belgium, Egypt, India, Mongolia, Saudi Arabia, Taiwan, and now Central Asia—a geographic spread that maps to Chinese economic and political interests.

Infrastructure TTPs

The use of compromised routers as C2 infrastructure complicates attribution and detection. Traffic from backdoors blends with legitimate network activity on compromised devices, making it harder for defenders to identify malicious connections.

Some campaign infrastructure has been configured to mimic Russian origins, potentially as a false flag operation or simply to exploit existing geopolitical tensions. The telecoms sector has faced sustained attention from multiple state actors this year—Singapore's disclosure of UNC3886 operations showed similar sophisticated targeting of telecommunications providers.

Defensive Recommendations

Organizations in telecommunications and adjacent sectors should:

1. Block macro execution in Office documents from external sources
2. Monitor for LNK file delivery via email attachments
3. Implement network segmentation limiting lateral movement from compromised endpoints
4. Audit router configurations and firmware for signs of compromise
5. Deploy endpoint detection capable of identifying C++ backdoor behaviors

The broader pattern of nation-state actors targeting telecommunications infrastructure shows no signs of slowing. Telecom providers serve as attractive targets because they sit at critical junctures in communications infrastructure—access to one provider potentially enables surveillance across entire regions.

For threat intelligence teams tracking Chinese APT activity, UnsolicitedBooker represents another example of the geographic flexibility these groups demonstrate. Tooling remains consistent while targeting adapts to strategic priorities.