ESET revealed the activity of a little-known but active cybergroup associated with China and received the designation of Unsixedbooker. According to the report, it aimed at an international organization in Saudi Arabia, using a previously not documented malicious tool called Marssnake. The first recorded attack occurred in March 2023, and then attempts to penetrate were repeated at least twice more – in 2024 and 2025.
During the campaign, attackers sent phishing letters with a bait in the form of a ticket, supposedly on behalf of the airline Saudia. A Microsoft Word document with VBA macros was attached to the letter. Upon opening, the document launched a malicious code that saved an executable file under the name “smssdrvhost.exe” on the system. This file acted as the bootloader, activating Marssnake – Backdor, which established a connection with a remote server at “Contact.Dectto [.] Top.”
The content of the letter used a real ticket found on the Academia platform, where scientific materials are published. The attackers issued a fake document that appeared plausible, reinforcing the attack through social engineering.
The UnsOLICETEDBOOKER group has also previously used famous Chinese malware such as Chinoxy, Deedrat, Poison Ivy, and Berat. In terms of attack methods, it intersects with the clusters Space Pirates and Zardoor, with the latter recently being used in attacks on an Islamic non-profit organization in Saudi Arabia.
According to the ESET report, Unsolicitedbooker is actively targeting goals in Asia, Africa, and the Middle East. The repeated attacks on the same organization over three years indicate a constant interest in the target and perhaps the strategic significance of the victim.
At the same time, experts noted the activity of another Chinese apt group – perplexedgoblin, also known as APT31. In December 2024, it targeted a government organization in Central Europe, introducing the espionage backdoor Nanoslate.
Additionally, the DigitalRecyClers group has been actively targeting government structures of the European Union since at least 2018. It utilizes the ORB proxy-network (Operational KMA VPN) to conceal network traffic and utilizes harmful programs such as Rclient, Hydrorshell, and Giftbox. Notably, Hydr