Chinese Hackers Unleash MarsSnake Backdoor in Prolonged Saudi Cyber Assault

Top Highlights

1. Threat Actor Activity: The China-aligned hacking group UnsolicitedBooker targeted an international organization in Saudi Arabia, using spear-phishing emails with flight tickets as lures, in campaigns detected by ESET from 2023 to early 2025.

2. Techniques and Tools: The group utilizes sophisticated tactics, including backdoors like MarsSnake, Chinoxy, and DeedRAT, to infiltrate governmental organizations across Asia, Africa, and the Middle East.

3. Persistent Targeting: ESET highlighted UnsolicitedBooker’s persistent interest, evidenced by multiple attack attempts on the same Saudi Arabian target between 2023 and 2025.

4. Broad Cyber Threat Landscape: The report also references activities from other Chinese groups, such as PerplexedGoblin and DigitalRecyclers, showcasing an ongoing trend of targeted espionage against governmental entities across various regions.

Problem Explained

On May 20, 2025, cybersecurity firm ESET reported the nefarious activities of a China-aligned threat group known as UnsolicitedBooker, which has been actively targeting an unnamed international organization in Saudi Arabia. This group has ingeniously employed the MarsSnake backdoor—a method of clandestine access to systems—via spear-phishing tactics that use deceptive flight booking emails, an approach observed as early as March 2023. Specifically, they crafted these emails to lure recipients by impersonating Saudia Airlines, attaching manipulated Microsoft Word documents that, once opened, execute a macro to install the MarsSnake backdoor, establishing communication with a remote server.

The persistence of this campaign, marked by multiple infiltration attempts over the years, underscores UnsolicitedBooker’s focused interest in this particular target, which aligns with their broader M.O. of compromising governmental organizations across Asia, Africa, and the Middle East. Their operational methods also exhibit similarities to other Chinese hacking groups, linked to various backdoors like Chinoxy and DeedRAT, illustrating a trend in cyber espionage practices utilized by state-aligned actors. ESET’s findings provide crucial insights into the evolving nature of cyber threats, while also highlighting ongoing attacks from other groups such as DigitalRecyclers and PerplexedGoblin, further demonstrating the pervasive threat landscape facing international organizations.

Critical Concerns

The cyber incursions orchestrated by the threat actor UnsolicitedBooker, as highlighted in recent reports, underscore a substantial risk to not just the targeted organization in Saudi Arabia, but to a broader network of businesses, users, and governmental entities who may unwittingly share digital infrastructure or communications channels with compromised systems. The sophisticated use of spear-phishing tactics, particularly through the guise of enticing emails related to flight bookings, illustrates a cunning methodology that, if replicated, can lead to widespread data breaches, operational disruptions, and even espionage across various sectors. Such incidents could erode consumer trust, incite financial losses, and prompt regulatory scrutiny, dramatically destabilizing market confidence and collaborative frameworks essential for international business operations. Thus, the ramifications extend beyond immediate victims; they threaten to create a cascading effect, where the integrity of entire organizational ecosystems is compromised, prompting a collective reevaluation of cybersecurity protocols and inter-organizational dependencies.

Possible Next Steps

In an era where cyber threats proliferate at an alarming rate, the timeliness of remediation becomes pivotal, especially in light of the sustained attacks by Chinese hackers utilizing the MarsSnake backdoor against a Saudi organization. Prompt and decisive action can mitigate potential damage and strengthen overall cyber resilience.

Mitigation Steps

1. Incident Response Plan
   Develop and refine a robust incident response framework tailored to address specific threats posed by backdoor vulnerabilities.

2. Network Segmentation
   Implement stringent segmentation across the network to contain potential intrusions and minimize lateral movement by threat actors.

3. Threat Intelligence Sharing
   Engage in collaborative threat information sharing with industry partners and governmental bodies to stay informed of evolving tactics.

4. Regular Patch Management
   Ensure all systems and applications are regularly updated and patched to close vulnerabilities exploited by the MarsSnake backdoor.

5. User Education and Training
   Foster a culture of cybersecurity awareness among employees through regular training sessions focused on identifying phishing attacks and social engineering tactics that may precede such breaches.

6. Enhanced Monitoring Solutions
   Deploy advanced monitoring tools capable of detecting unusual activity indicative of a backdoor installation or exploitation.

NIST Guidance
The NIST Cybersecurity Framework (CSF) emphasizes a holistic strategy encompassing identification, protection, detection, response, and recovery. Specifically, organizations should reference NIST Special Publication 800-53 for comprehensive guidance on implementing security and privacy controls tailored to mitigate identified risks associated with advanced persistent threats like the MarsSnake backdoor.

Stay Ahead in Cybersecurity

Stay informed on the latest Threat Intelligence and Cyberattacks.

Access world-class cyber research and guidance from IEEE.

Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.

Cyberattacks-V1