In January 2025, cybersecurity researchers identified a sophisticated cyber-espionage campaign targeting an international organization in Saudi Arabia. The operation was attributed to a China-linked advanced persistent threat (APT) group known as UnsolicitedBooker. The attackers employed a previously undocumented backdoor, dubbed MarsSnake, delivered via spear-phishing emails masquerading as flight booking confirmations from Saudia Airlines. This campaign is part of a multi-year effort by UnsolicitedBooker, which has shown a persistent interest in governmental organizations across Asia, Africa, and the Middle East.
UnsolicitedBooker’s MarsSnake campaign begins with a highly tailored spear‑phishing email spoofing Saudia Airlines. The message contains a malicious Microsoft Word attachment that, when opened, executes a VBA macro. This macro decodes and writes a small loader executable (smssdrvhost.exe) to %TEMP% and immediately launches it. The loader is a minimalist PE file written in C++ whose sole purpose is to fetch and unpack the full MarsSnake implant from the attacker’s C2 server at contact.decenttoy[.]top over HTTPS.
Once the loader stages MarsSnake, the backdoor installs itself persistently by creating a Windows Scheduled Task named “Windows System Update” pointing to the loader binary, and by dropping a copy under %ProgramData%\svchostupdate.exe. It also writes a registry Run‑key (HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysUpd) to ensure execution on reboot. Both persistence mechanisms blend with legitimate system naming conventions to evade cursory inspections.
MarsSnake’s communications protocol is a bespoke HTTP‑over‑TLS channel. Every 60 seconds, the backdoor sends a JSON‑formatted “heartbeat” containing system metadata—hostname, domain, OS build, running processes, and a unique victim ID derived from the machine’s SMBIOS UUID. Commands are fetched in the same session: the implant parses the server’s JSON response, decrypts the payload (a simple XOR with a 4‑byte key located in the binary’s resource section), and dispatches it to its internal command dispatcher.
MarsSnake supports a wide range of espionage functions:
The backdoor is modular—its main thread loads additional components (e.g., netmod.dll, diskmod.dll) pushed by the C2 server. Each module is registered via a simplistic plugin manifest stored in the Windows registry (HKLM\SOFTWARE\MarsSnake\Modules). New capability modules can thus be dynamically installed without updating the core binary.
Detection of MarsSnake can leverage the following indicators:
By chaining a convincing phishing lure, a lightweight loader, and a full‑featured modular backdoor, UnsolicitedBooker achieves stealthy, persistent espionage tailored to high‑value targets in Saudi Arabia and beyond. Continuous monitoring for the above artifacts and anomaly‑based network inspection are critical to disrupting this advanced threat.
The repeated targeting of the same Saudi organization over multiple years underscores UnsolicitedBooker’s strategic interest in this entity. The deployment of MarsSnake and other sophisticated backdoors indicates a focus on long-term espionage, data theft, and persistent access to sensitive governmental information. The group’s activities contribute to the broader landscape of Chinese cyber-espionage efforts, which have increasingly targeted organizations across Europe, the Middle East, and
https://securityaffairs.com/178105/malware/china-linked-unsolicitedbooker-used-new-backdoor-marssnake.html
