When Espionage Moves Next Door: UnsolicitedBooker's Pivot to Central Asian Telecom Networks

For nearly three years, a China-aligned advanced persistent threat group known as UnsolicitedBooker operated with a narrow obsession: a single international organization in Saudi Arabia. Between 2023 and early 2025, the group hammered the same target repeatedly with spear-phishing emails disguised as airline ticket confirmations, deploying a custom backdoor called MarsSnake to establish persistent access. Then, in the fall of 2025, something changed.

UnsolicitedBooker abandoned its Saudi fixation and turned its attention to an entirely different region and an entirely different sector. Telecommunications companies in Kyrgyzstan and Tajikistan became the new targets. The phishing lures shifted from fake Saudia Airlines tickets to documents mimicking telecom tariff plans. And the malware toolkit expanded to include a previously undocumented backdoor called LuciDoor.

This pivot, documented in a February 2026 report by Positive Technologies researchers Alexander Badaev and Maxim Shamanov, is not just a story about one threat group changing targets. It is a signal that Central Asia's telecommunications infrastructure has become a priority intelligence target for state-aligned cyber espionage operations, and that the region's defenders may not be prepared for what is coming.

From Airline Tickets to Tariff Plans

UnsolicitedBooker was first publicly documented by Slovak cybersecurity firm ESET in May 2025. At the time, ESET attributed the group to a persistent campaign against an unnamed international organization in Saudi Arabia. The group's calling card was distinctive: spear-phishing emails containing Microsoft Word documents that posed as flight booking confirmations. In at least one case from January 2025, the attackers impersonated Saudia Airlines, using a decoy document based on a real PDF that was publicly available on the Academia research-sharing platform.

Once a victim opened the document and clicked "Enable Content," a VBA macro silently decoded and dropped an executable onto the system. That executable served as a loader for MarsSnake, a full-featured C++ backdoor capable of collecting system metadata, executing arbitrary commands, and reading or writing files on the compromised machine.

"The multiple attempts at compromising this organization in 2023, 2024, and 2025 indicate a strong interest by UnsolicitedBooker in this specific target." — ESET, APT Activity Report Q4 2024–Q1 2025

The group was not casting a wide net. It was engaged in what appeared to be targeted, strategic collection against a single high-value organization over a sustained period.

By September 2025, however, the Positive Technologies Expert Security Center (PT ESC) began observing a fundamentally different pattern of activity. Telecommunications companies in Kyrgyzstan were receiving phishing emails with attached Microsoft Office documents. The documents were no longer airline tickets. Instead, they displayed what appeared to be legitimate telecom provider tariff plans—a socially engineered lure designed to look routine and unremarkable to employees in the telecommunications sector.

The technical execution remained consistent with UnsolicitedBooker's established tradecraft: a macro-enabled document that required the victim to enable content, triggering a chain of malicious activity. But the payload had changed. Rather than deploying MarsSnake, the September 2025 attacks delivered a previously unknown C++ malware loader that Positive Technologies dubbed LuciLoad, which in turn installed a new backdoor they named LuciDoor.

By November 2025, the group had shifted again, this time deploying MarsSnakeLoader to deliver MarsSnake against additional targets. And by January 2026, phishing emails were reaching companies in Tajikistan, though with a tactical adjustment: instead of attaching malicious documents directly, the emails now contained links to decoy documents hosted externally.

Two Backdoors, One Objective

Understanding LuciDoor and MarsSnake side by side reveals a group that maintains parallel capabilities and rotates between them, likely as a form of operational security.

LuciDoor, written in C++, establishes encrypted communication with a command-and-control server, collects basic system information such as computer name and operating system version, and exfiltrates that data in encrypted format. It parses responses from the C2 server to execute commands through cmd.exe, write files to the local system, and upload files back to the attacker's infrastructure.

MarsSnake offers a similar capability set. It harvests system metadata, supports arbitrary command execution, and can read or write any file on disk. Matthieu Faou, senior malware researcher at ESET, has noted that MarsSnake appears to be exclusively used by UnsolicitedBooker—a relatively unusual characteristic in an ecosystem where tool-sharing among China-aligned APTs is commonplace.

What makes UnsolicitedBooker's behavior particularly noteworthy is the way the group cycles between these tools. As Positive Technologies noted in their report, the group initially relied on LuciDoor, then shifted to MarsSnake, and in 2026 returned to LuciDoor. This pattern of tool rotation suggests a mature operational mindset where the group deliberately varies its footprint to complicate detection and attribution.

The researchers also observed at least one case where the attackers used a compromised MikroTik router as a C2 server. This is a well-known tactic among sophisticated threat groups: by routing command-and-control traffic through legitimate, compromised infrastructure rather than dedicated attacker-owned servers, the operators make their network traffic harder to distinguish from normal activity. The use of a router running an outdated PolarSSL (now Mbed TLS) TLS stack provided investigators with a distinctive fingerprint that helped connect disparate elements of the campaign.

The Toolbox That Points to Beijing

While UnsolicitedBooker maintains its own custom tools, its broader arsenal places the group firmly within the Chinese cyber espionage ecosystem.

Beyond LuciDoor and MarsSnake, the group has been observed using Chinoxy, Deed RAT (a successor to the well-known ShadowPad backdoor, which itself evolved from PlugX), Poison Ivy, and BeRAT. Every one of these tools is widely shared among China-aligned threat groups. Their presence in UnsolicitedBooker's toolkit does not prove Chinese government direction, but it places the group firmly within a known ecosystem of state-aligned espionage actors.

ESET has assessed with high confidence that UnsolicitedBooker is China-aligned, based on the tactics used, victimology patterns, and what the company described as relevant non-public data. Faou has stated that ESET has observed the group targeting entities across multiple countries.

"Over the past several years, we have observed the group targeting entities in multiple countries, including Algeria, Belgium, Egypt, India, Mongolia, Saudi Arabia, and Taiwan." — Matthieu Faou, Senior Malware Researcher at ESET, in comments to The Hacker News

Positive Technologies identified additional forensic evidence pointing toward Chinese origins. Documents used in the attacks contained metadata showing that the eastAsia language field was set to zh-CN (Chinese Simplified), even though the document content was written in Russian. This suggests the authors were using a Chinese-language installation of Microsoft Office, or they used a Chinese-language document template without clearing the default language settings.

The researchers also identified tactical overlaps between UnsolicitedBooker and two other clusters: Space Pirates, a China-aligned group first documented by Positive Technologies in 2022 that has targeted Russian aerospace and government entities, and an unnamed group that previously deployed the Zardoor backdoor against Islamic non-profit organizations in Saudi Arabia. These overlaps suggest either shared development resources or coordinated activity within what analysts increasingly describe as an interconnected Chinese threat ecosystem.

"In their attacks, the group used rare tools of Chinese origin." — Positive Technologies, PT ESC Threat Intelligence report, February 2026

Why Telecom? Why Central Asia?

The question of why UnsolicitedBooker shifted from a Saudi international organization to Central Asian telecommunications providers deserves careful examination, because the answer has implications far beyond this single threat group.

Telecommunications companies are among the highest-value targets in the cyber espionage landscape. Access to a telecom network can provide an intelligence service with the ability to monitor communications, track the movements of persons of interest, access subscriber records, and potentially intercept unencrypted data in transit. As Dick O'Brien, principal threat intelligence analyst for Symantec's threat hunter team, has observed in the context of similar campaigns targeting Asian telecom providers: there is the potential for eavesdropping and surveillance, and because telecoms represent critical infrastructure, attackers could create significant disruption in a target country.

The timing of UnsolicitedBooker's pivot to Central Asia is notable. Kyrgyzstan and Tajikistan occupy a geographically and strategically significant position along China's western border. Both countries are participants in China's Belt and Road Initiative, and their telecommunications infrastructure represents a nexus of political, economic, and security-relevant communications.

This is not an isolated development. China-linked cyber espionage against telecommunications providers has escalated dramatically in recent years. In a joint advisory released on August 27, 2025, CISA, the NSA, and the FBI warned that Chinese state-sponsored actors were targeting networks globally across multiple sectors, with activity overlapping with groups tracked as Salt Typhoon, OPERATOR PANDA, RedMike, UNC5807, and GhostEmperor (advisory AA25-239A). That advisory described persistent, long-term access campaigns exploiting vulnerabilities in provider edge and customer edge routers of major telecommunications providers—devices that often lack adequate visibility and are difficult to monitor—as well as persistent intrusions into government, transportation, lodging, and defense networks.

In February 2026, Google's Threat Intelligence Group disclosed the disruption of UNC2814, a suspected China-linked group also known as Gallium that had compromised 53 organizations across 42 countries, with a heavy focus on telecommunications providers and government entities. Google described the intrusions as the product of "a decade of concentrated effort" and noted that "prolific intrusions of this scale are generally the result of years of focused effort and will not be easily re-established." The attackers used a novel backdoor called GRIDTIDE that abused the Google Sheets API as a command-and-control channel to disguise malicious traffic within legitimate cloud API requests.

And separately, in early February 2026, Singapore's Cyber Security Agency confirmed that all four of the country's major telecom operators—M1, SIMBA Telecom, Singtel, and StarHub—had been targeted by the China-linked group UNC3886, prompting the country's largest coordinated cyber incident response effort to date, dubbed Operation Cyber Guardian.

UnsolicitedBooker's campaign against Kyrgyz and Tajik telecoms fits squarely within this broader pattern. The group may be relatively small and its tooling less sophisticated than the likes of Salt Typhoon, but its targeting choices reflect the same strategic logic: telecommunications infrastructure is the backbone of modern surveillance capability, and gaining access to it provides enormous intelligence value.

Infrastructure That Mimics Russia

One of the more intriguing findings in the Positive Technologies report is that some of UnsolicitedBooker's infrastructure appeared to be masquerading as Russian.

"Furthermore, in at least one case, we observed the attackers using a hacked router as a C2 server, and their infrastructure mimicked that of Russia in some attacks." — Positive Technologies researchers, February 2026

False flag operations—where attackers deliberately plant forensic artifacts pointing toward a different country or group—are a well-documented tactic in the APT landscape. If UnsolicitedBooker is deliberately making its infrastructure appear Russian, it could be an attempt to deflect attribution in a region where both Russia and China maintain significant intelligence interests. Central Asia has historically been considered part of Russia's sphere of influence, and Russian-language phishing lures would appear more natural to targets in Kyrgyzstan and Tajikistan than Chinese-language ones.

The finding that the phishing documents themselves were written in Russian while containing Chinese-language metadata in the underlying XML structure further complicates the picture. It suggests a group that understands its operational environment well enough to craft culturally appropriate lures while potentially leaving behind traces of its true origin in the technical layers that victims are unlikely to inspect.

What This Means for Defenders

UnsolicitedBooker does not rely on zero-day exploits or novel attack chains. Its primary initial access vector is the same one that has been compromising organizations for decades: phishing emails with macro-enabled Office documents. The fact that this approach continues to work against telecommunications providers in 2026 is itself a finding worth attention.

The group's tradecraft is disciplined rather than flashy. It uses controlled loader execution, encrypted C2 communications, and adaptable infrastructure. It rotates tools to avoid detection signatures. It compromises legitimate routers to host C2 servers. None of these techniques are groundbreaking, but taken together, they represent a mature and effective operational approach.

For telecommunications companies operating in Central Asia and beyond, the implications are direct. Organizations should treat phishing awareness as a critical defensive priority, particularly around macro-enabled document delivery. Behavioral endpoint detection that can identify suspicious command execution patterns through cmd.exe and unusual file exfiltration activity is essential. Network segmentation that limits lateral movement within telecom infrastructure can reduce the impact of a successful compromise. And monitoring for anomalous TLS fingerprints, particularly those associated with outdated libraries like PolarSSL, can help identify compromised devices being used as C2 relays.

Perhaps the point that warrants the sharpest emphasis is this: the China-aligned cyber espionage ecosystem is not monolithic. It is not just Salt Typhoon and Volt Typhoon making headlines. Smaller, less-publicized groups like UnsolicitedBooker are operating in parallel, targeting strategically important infrastructure in regions that may receive less attention from the global cybersecurity community but are no less important to the intelligence objectives of the actors behind them.

The doors to Central Asia's telecom networks are being tested. The question is whether defenders will hear the knocking before it is too late.