In a significant cybersecurity revelation, ESET (Essential Security against Evolving Threats) researchers have exposed a sophisticated, multi-year cyber espionage campaign orchestrated by a China-linked advanced persistent threat (APT) group named UnsolicitedBooker. This group has been targeting an international organization in Saudi Arabia since at least March 2023, deploying a custom-built backdoor malware called MarsSnake. The attackers leveraged social engineering via spear-phishing emails—disguised as flight booking confirmations—to breach internal systems, extract confidential data, and maintain prolonged stealth access.

Inside the MarsSnake Malware Attack

ESET uncovered that the UnsolicitedBooker hackers used convincing phishing emails that appeared to come from Saudia Airlines (saudia.etickets@outlook[.]com). These emails carried Microsoft Word documents embedded with malicious macros. When unsuspecting users enabled the macros, it triggered the download and execution of MarsSnake, a full-featured remote access trojan (RAT).

Once installed, MarsSnake established communication with its command-and-control (C2) server hosted at contact.decenttoy[.]top. This malware gave attackers complete control over the compromised system—allowing arbitrary command execution, file manipulation, and continuous surveillance.

The sophistication of MarsSnake highlights UnsolicitedBooker’s capability to operate covertly over long periods, suggesting nation-state backing and an intent to collect high-value geopolitical intelligence.

UnsolicitedBooker and the Expanding Chinese Threat Landscape

MarsSnake isn’t the only weapon in UnsolicitedBooker’s arsenal. According to ESET, the group has also used tools like Chinoxy, DeedRAT, Poison Ivy, and BeRAT—all previously associated with Chinese cyber espionage operations.

Their operations span across multiple regions, with recent campaigns targeting government entities in Asia, Africa, and the Middle East. The Saudi Arabia attack using MarsSnake is part of a broader wave of Chinese-linked digital incursions designed to infiltrate strategic infrastructure and diplomatic networks.

ESET’s threat intelligence also flagged DigitalRecyclers, another actor deploying malware strains like HydroRShell and RClient to target the European Union’s governmental institutions. These efforts demonstrate the persistent, evolving, and globally coordinated nature of China-affiliated cyber threats.

To Sum Up

The MarsSnake cyberattack serves as a chilling reminder of the lengths to which state-sponsored hackers will go to breach strategic targets. The blending of social engineering, stealthy backdoors, and persistent data exfiltration marks a new chapter in cyber warfare—one where proactive defense, real-time intelligence, and rapid mitigation are non-negotiable.