The emergence of UnsolicitedBooker as a significant cyber threat in Central Asia marks a notable shift in their operations. Telecommunications companies in Kyrgyzstan and Tajikistan have recently come under attack by this group, which previously focused its efforts on Saudi Arabian targets. According to a recent report from Positive Technologies, the attackers have utilized two sophisticated backdoors named LuciDoor and MarsSnake.
Targeted Attacks on Kyrgyzstan and Tajikistan
The cybercriminals behind UnsolicitedBooker have been active since at least March 2023. Initially identified by ESET in May 2025, the group was linked to cyber activities targeting an international organization in Saudi Arabia. The latest attacks, however, highlight their focus on Kyrgyz telecommunications, employing phishing emails that include Microsoft Office documents to deliver malware.
These documents, appearing as legitimate telecom tariff plans, prompt users to enable macros, which then execute a malware loader. This loader, known as LuciLoad, subsequently installs the LuciDoor backdoor. A similar attack pattern was observed in November 2025, with a variant loader, MarsSnakeLoader, deploying MarsSnake malware.
Advanced Malware Techniques
UnsolicitedBooker’s use of LuciDoor and MarsSnake showcases their technical expertise. Written in C++, LuciDoor connects to a command-and-control server, collecting and transmitting system data. It can execute commands, modify files, and upload content through cmd.exe. MarsSnake shares similar functionalities, executing arbitrary commands and accessing files on the infected systems.
Interestingly, MarsSnake has also been linked to attacks in China. These operations begin with a Windows shortcut masquerading as a Word document, launching scripts to activate the malware without a loader. This technique resembles tactics used by the Mustang Panda group in previous campaigns targeting Thailand.
Strategic Implications and Future Outlook
The strategic targeting of telecom companies in Central Asia by UnsolicitedBooker underscores the evolving nature of cyber threats. Positive Technologies notes that the group initially employed LuciDoor but shifted to MarsSnake, only to revert to LuciDoor by 2026. This adaptability demonstrates their persistent threat.
Other cybersecurity threats have also emerged, such as PseudoSticky, mimicking pro-Ukrainian groups to target Russian organizations. This group uses phishing and trojans like RemcosRAT and DarkTrack RAT for data theft. Meanwhile, Cloud Atlas targets Russian entities using custom malware such as VBShower and VBCloud.
The continued evolution of these threat actors highlights the need for vigilant cybersecurity measures. Organizations must remain proactive in defending against increasingly sophisticated cyber threats as these groups adapt their strategies and tools.
