Chinese Cyber Threat Actors Implement MarsSnake Backdoor in Prolonged Campaign Against Saudi Organization

Publish date: 20.05.2025

Blog

20.05.2025

Threat hunters have uncovered the tactics of a China-aligned threat actor known as UnsolicitedBooker, which targeted an undisclosed international organization in Saudi Arabia with a previously undocumented backdoor referred to as MarsSnake.

ESET, the cybersecurity firm that first identified the hacking group’s attempts aimed at this entity in March 2023, and again a year later, noted that the group utilizes spear-phishing emails featuring flight tickets as bait to infiltrate their targets.

UnsolicitedBooker is engaged in sending spear-phishing emails, often with flight tickets serving as decoys. Their targets primarily include governmental organizations across Asia, Africa, and the Middle East, as highlighted in ESET’s latest APT Activity Report for the period spanning October 2024 to March 2025.

The attacks attributed to this threat actor are characterized by the deployment of various backdoors, including Chinoxy, DeedRAT, Poison Ivy, and BeRAT, which are commonly used by Chinese hacking groups.

It is assessed that UnsolicitedBooker shares characteristics with a cluster labeled as Space Pirates and an unidentified threat activity cluster that deployed a backdoor known as Zardoor against an Islamic non-profit organization in Saudi Arabia.

The most recent campaign, identified in January 2025 by the Slovak cybersecurity firm, involved a phishing email disguised as communication from Saudia Airlines regarding a flight booking.

The phishing attempt included an attached Microsoft Word document that contained decoy content resembling a flight ticket. This document was modified from a publicly available PDF sourced from the Academia website, a platform designed for sharing academic research documents.

Upon execution, the Word document activates a VBA macro that decodes and writes to the file system an executable file named “smssdrvhost.exe.” This executable serves as a loader for MarsSnake, which establishes communication with a remote server located at “contact.decenttoy[.]top.”

The series of attempts made by UnsolicitedBooker to compromise this specific organization in 2023, 2024, and 2025 underscores their sustained interest in the target.

This disclosure coincides with another incident where a different Chinese threat actor, tracked as PerplexedGoblin (also known as APT31), targeted a Central European government entity in December 2024, deploying an espionage backdoor known as NanoSlate.

Furthermore, ESET has identified ongoing attacks by DigitalRecyclers against governmental entities within the European Union. This group employs the KMA VPN operational relay box (ORB) network to obscure their network traffic while deploying backdoors such as RClient, HydroRShell, and GiftBox.

DigitalRecyclers was first noted by ESET in 2021 but is believed to be operational since at least 2018. It is suspected to be linked to the Ke3chang group and BackdoorDiplomacy, operating within the APT15 cohort. DigitalRecyclers deploys the RClient implant, a variant of the Project KMA stealer. Notably, in September 2023, the group introduced a new backdoor called HydroRShell, which utilizes Google’s Protobuf and Mbed TLS for command and control communications.