UnsolicitedBooker Targets Telecoms in Central Asia with New Backdoors

UnsolicitedBooker, first identified in early 2023, has built a reputation for targeting high‑value sectors with bespoke malware. Initially focused on Saudi Arabian organizations, the group’s recent pivot to Kyrgyzstan and Tajikistan marks a strategic expansion into Central Asia, a region where telecom operators often serve as gateways to government and financial networks. This geographic shift underscores a broader trend of threat actors seeking less‑defended markets to establish footholds, leveraging existing regional partnerships and supply‑chain vulnerabilities.

The technical sophistication of the campaign is evident in the dual‑backdoor architecture. LuciDoor and MarsSnake are introduced via malicious Microsoft Office documents that trigger macro execution, loading lightweight droppers such as LuciLoad. Once installed, the backdoors provide full system visibility, command execution, and data exfiltration capabilities. Notably, the actors have co‑opted compromised routers as command‑and‑control relays, a tactic that blends traditional malware with network‑level persistence, complicating detection and remediation. Overlaps with the Space Pirates cluster suggest shared tooling or possible collaboration, highlighting the fluid nature of state‑aligned cyber ecosystems.

For telecom operators, the implications are immediate and severe. Disruption of core network services can cascade into broader economic and security repercussions, especially in regions where alternative communication channels are limited. Companies should prioritize email hygiene, enforce macro restrictions, and deploy advanced endpoint detection that can identify anomalous loader behavior. Network segmentation and continuous monitoring of router firmware integrity are also critical to prevent C2 abuse. As geopolitical tensions drive cyber aggression, understanding the evolving tactics of groups like UnsolicitedBooker is essential for safeguarding the digital backbone of emerging markets.