Introduction
In the evolving landscape of cybersecurity threats, nation-state actors continue to leverage sophisticated tactics to infiltrate high-value targets. A recent investigation by ESET, a Slovak cybersecurity company, has exposed a China-aligned cyber espionage campaign conducted by a group dubbed UnsolicitedBooker, which deployed a previously undocumented backdoor named MarsSnake. This campaign targeted a prominent international organization in Saudi Arabia, indicating a persistent and strategic interest. Alongside this, other Chinese-affiliated groups such as PerplexedGoblin and DigitalRecyclers have also carried out coordinated attacks on government entities across Europe, Asia, and the Middle East. This article explores the tactics, techniques, and tools employed by these threat actors, highlighting their shared strategies and the implications for global cybersecurity.
UnsolicitedBooker and the MarsSnake Backdoor
ESET first identified UnsolicitedBooker’s activities in March 2023, with a resurgence in January 2025. The threat actor used spear-phishing emails featuring fake flight ticket documents to infiltrate their victims. These emails purportedly came from Saudia Airlines, targeting a Saudi-based international organization. The attachment, a Microsoft Word document, was embedded with VBA macros that executed malicious code once opened.
This execution chain led to the deployment of an executable named “smssdrvhost.exe”, which functioned as a loader for the MarsSnake backdoor. Once active, MarsSnake established a connection with its command-and-control (C&C) server at contact.decenttoy[.]top, allowing attackers to remotely access the infected system.
The decoy content in the malicious Word file was traced back to a publicly available PDF on the Academia platform, suggesting a calculated effort to create believable lures by repurposing legitimate content.
Toolset and Affiliations of UnsolicitedBooker
UnsolicitedBooker employs a set of backdoors commonly attributed to Chinese threat actors, including Chinoxy, DeedRAT, Poison Ivy, and BeRAT. Notably, the group’s tactics and targets suggest a close relationship with other espionage clusters such as Space Pirates and an unnamed group responsible for deploying the Zardoor backdoor against another non-profit entity in Saudi Arabia.
The repeated targeting of the same Saudi organization across three consecutive years underscores a sustained intelligence-gathering objective. ESET’s analysis suggests that MarsSnake is currently exclusive to UnsolicitedBooker, reinforcing the group’s distinct operational signature.
PerplexedGoblin and the NanoSlate Campaign
Another threat actor, PerplexedGoblin (also known as APT31), was observed targeting a Central European government in December 2024. This attack involved the use of a specialized espionage backdoor named NanoSlate, further highlighting the geographic and strategic diversity of Chinese-linked cyber campaigns.
While not directly affiliated with UnsolicitedBooker, PerplexedGoblin’s activities represent a parallel effort in China's broader cyber-espionage apparatus aimed at infiltrating key government infrastructures around the world.
DigitalRecyclers and the KMA VPN Relay Network
DigitalRecyclers, a group believed to be active since at least 2018, continues to engage in attacks against European Union governmental institutions. First detected by ESET in 2021, the group operates within the APT15 family and is believed to be linked to well-known actors such as Ke3chang and BackdoorDiplomacy.
DigitalRecyclers leverages the KMA VPN operational relay box (ORB) network to conceal its traffic and deploys backdoors including RClient, GiftBox, and the newly discovered HydroRShell. The latter, introduced in September 2023, uses Google’s Protobuf and Mbed TLS to communicate securely with its C&C servers—an uncommon but effective method for structured data serialization.
These tools allow attackers to execute arbitrary commands, exfiltrate data, and download additional malware, maintaining full control over compromised systems.
Command and Control Architecture and Technical Insights
Both MarsSnake and HydroRShell represent advanced, full-featured backdoors capable of executing any command and manipulating files on the target machine. According to Matthieu Faou, Senior Malware Researcher at ESET, these tools maintain persistent access through encrypted channels, with MarsSnake tied exclusively to UnsolicitedBooker and HydroRShell to DigitalRecyclers.
A notable technical aspect of HydroRShell is its use of Protobuf for C&C communication. Protobuf, typically used in software development to serialize structured data, offers attackers a flexible and efficient means of encoding their communications.
Conclusion
The findings from ESET’s latest research underscore the persistent and evolving nature of China-aligned cyber espionage. Threat actors such as UnsolicitedBooker, PerplexedGoblin, and DigitalRecyclers continue to adapt and refine their tactics to infiltrate governmental and institutional networks across multiple regions. Their use of deceptive spear-phishing campaigns, custom-developed backdoors, and stealthy communication protocols represents a significant threat to global cybersecurity.
As the geopolitical landscape becomes increasingly intertwined with cyberspace, continuous monitoring, proactive defense measures, and international cooperation will be critical in mitigating the impact of these sophisticated campaigns. The cybersecurity community must remain vigilant and responsive to these evolving threats to safeguard sensitive information and maintain digital sovereignty.
0 Comments