{"id":216879,"date":"2026-02-24T04:54:00","date_gmt":"2026-02-24T09:54:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/02\/24\/unsolicitedbooker-targets-central-asian-telecoms-with-lucidoor-and-marssnake-backdoors\/"},"modified":"2026-02-24T08:00:10","modified_gmt":"2026-02-24T13:00:10","slug":"unsolicitedbooker-targets-central-asian-telecoms-with-lucidoor-and-marssnake-backdoors","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/02\/24\/unsolicitedbooker-targets-central-asian-telecoms-with-lucidoor-and-marssnake-backdoors\/","title":{"rendered":"UnsolicitedBooker Targets Central Asian Telecoms With LuciDoor and MarsSnake Backdoors"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/02\/unsolicitedbooker-targets-central-asian.html\">UnsolicitedBooker Targets Central Asian Telecoms With LuciDoor and MarsSnake Backdoors<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/02\/unsolicitedbooker-targets-central-asian.html\">https:\/\/thehackernews.com\/2026\/02\/unsolicitedbooker-targets-central-asian.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-02-24 04:54:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p>The threat activity cluster known as <strong>UnsolicitedBooker<\/strong> has been observed targeting telecommunications companies in Kyrgyzstan and Tajikistan, marking a shift from prior attacks aimed at Saudi Arabian entities.<\/p>\n<p>The attacks involve the deployment of two distinct backdoors codenamed LuciDoor and MarsSnake, according to a report published by Positive Technologies last week.<\/p>\n<p>&#8220;The group used several unique and rare instruments of Chinese origin,&#8221; researchers Alexander Badaev and Maxim Shamanov said.<\/p>\n<p>UnsolicitedBooker was first documented by ESET in May 2025, attributing the China-aligned threat actor to a cyber attack targeting an unnamed international organization in Saudi Arabia with a backdoor dubbed MarsSnake. The group is assessed to be active since at least March 2023 and has a history of targeting organizations in Asia, Africa, and the Middle East.<\/p>\n<p>Further analysis of the threat actor has uncovered tactical overlaps with two other clusters, including Space Pirates and an as-yet-unattributed campaign targeting Saudi Arabia with another backdoor referred to as Zardoor.<\/p>\n<p>The latest set of attacks documented by the Russian cybersecurity vendor was found to target Kyrgyz organizations in late September 2025 with phishing emails containing a Microsoft Office document, which, when opened, instructs recipients to &#8220;Enable Content&#8221; so as to run a malicious macro.<\/p>\n<p>While the document displays a telecom provider&#8217;s tariff plan to the victim, the macro stealthily drops a C++ malware loader called LuciLoad that, in turn, delivers LuciDoor. Another attack observed in late November 2025 adopted the same modus operandi, only this time it used a different loader codenamed MarsSnakeLoader to deploy MarsSnake.<\/p>\n<p>As recently as January 2026, UnsolicitedBooker is said to have leveraged phishing emails as a vector to target companies in Tajikistan. While the overall attack chain remains the same, the messages embedded links to the decoy documents as opposed to directly attaching&#8230;<\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/02\/unsolicitedbooker-targets-central-asian.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>UnsolicitedBooker Targets Central Asian Telecoms With LuciDoor and MarsSnake Backdoors https:\/\/thehackernews.com\/2026\/02\/unsolicitedbooker-targets-central-asian.html Publish Date: 2026-02-24 04:54:00&#8230;<\/p>\n","protected":false},"author":1,"featured_media":216880,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhSNzH9FCcwXlaHaCt3zQfmpwV3uesrW_2ISdcvbuKMl7PIENe9w6dhzBVpj19_BmgHKcZIzxBLSBFOmwNx2ahUast29Tk_LJoY8qz-SrJziWhHTHURX8HTvJuIVvMJourUJ0Hw8RKnXYUFcz9wsaO7_halOZmw3gof1-N1-jI-MtNsztV5YYP4WvQdPBcY\/s16000\/TELECOM.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,32,25,34],"class_list":["post-216879","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-malware","tag-phishing","tag-threat-actor"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/216879"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=216879"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/216879\/revisions"}],"predecessor-version":[{"id":216881,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/216879\/revisions\/216881"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/216880"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=216879"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=216879"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=216879"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}