MarsSnake Backdoor Reveals Persistent Chinese Espionage Campaigns in Middle East and Europe

Threat intelligence analysts have uncovered details about a cyber-espionage campaign conducted by a China-aligned threat group known as UnsolicitedBooker, which targeted an international organization in Saudi Arabia using a newly identified malware dubbed MarsSnake.

According to a report by ESET, the group's activities were first detected in March 2023 and resurfaced a year later, indicating a persistent interest in the Saudi entity. The attacks employed spear-phishing emails with fake flight itineraries as bait to trick victims into opening malicious attachments.

"UnsolicitedBooker commonly uses flight ticket lures in phishing emails to target governmental bodies across Asia, Africa, and the Middle East," ESET noted in its APT Activity Report covering October 2024 to March 2025.

This campaign shares links with other operations attributed to Chinese threat clusters, including Space Pirates, and bears similarities to previous attacks that utilized the Zardoor backdoor against an Islamic non-profit group in Saudi Arabia.

The latest intrusion, detected in January 2025, mimicked a message from Saudia Airlines and included a Microsoft Word document featuring a flight ticket decoy—a modified version of a PDF sourced from Academia.edu, a popular academic sharing platform.

Once opened, the document runs a VBA macro, which decodes and drops an executable called "smssdrvhost.exe" onto the system. This file acts as a loader for MarsSnake, establishing a connection with a command-and-control (C2) server at "contact.decenttoy[.]top".

ESET emphasized that the repeated targeting of the same organization over three consecutive years suggests a high-value intelligence objective for UnsolicitedBooker.

Meanwhile, another Chinese threat actor, PerplexedGoblin (APT31), was linked to an espionage operation in December 2024 targeting a Central European government, deploying a backdoor called NanoSlate.

The report also highlights continued malicious activity by DigitalRecyclers, a threat group believed to be tied to Ke3chang and BackdoorDiplomacy, placing it within the broader APT15 umbrella. Since its discovery in 2021, DigitalRecyclers has consistently attacked EU government entities, using the KMA VPN ORB network to mask activity and deploying a suite of malware tools, including RClient, HydroRShell, and GiftBox.

The HydroRShell backdoor, introduced in September 2023, stands out for its use of Google’s Protocol Buffers (Protobuf) and Mbed TLS for encrypted communication with its C2 infrastructure, demonstrating the evolving sophistication of these espionage operations.