In a newly uncovered cyber-espionage campaign attributed to a Chinese state-aligned threat group, researchers have identified a custom malware dubbed MarsSnake that was used to infiltrate a Saudi Arabian organization over a span of multiple years. The campaign, reportedly ongoing since March 2023, highlights the sophistication and persistence of China-linked APT (Advanced Persistent Threat) actors in targeting strategic international institutions.
The Threat Actor: “UnsolicitedBooker”
The attack was carried out by an elusive cyber espionage group tracked by researchers at cybersecurity firm Check Point under the name UnsolicitedBooker. The group appears to be aligned with Chinese interests and demonstrates TTPs (tactics, techniques, and procedures) consistent with other well-documented Chinese APT clusters such as Space Pirates and threat actors previously observed deploying the Zardoor backdoor.
This campaign’s targets include a Saudi-based international organization with sensitive geopolitical relevance. Although the exact nature of the organization has not been disclosed, its persistent targeting indicates a high level of strategic value.
Phishing as the Initial Attack Vector
The initial attack chain was rooted in spear-phishing, a favored technique among espionage actors. Emails purporting to be from Saudia Airlines carried malicious Microsoft Word documents containing embedded VBA macros. These lures were cleverly disguised as flight booking confirmations, enhancing their legitimacy and increasing the likelihood of user interaction.
Upon opening the malicious attachment, the embedded macro executed a file named smssdrvhost.exe, acting as a loader that deployed the MarsSnake backdoor onto the victim’s system. Once executed, MarsSnake established communication with a Command-and-Control (C2) server hosted at contact.decenttoy[.]top.
The Malware: MarsSnake
MarsSnake is a previously undocumented malware strain tailored for covert surveillance and persistence within targeted networks. Its capabilities include:
- Collecting system information
- Downloading and executing additional payloads
- Command execution
- Maintaining long-term stealth access
MarsSnake’s design appears to focus on operational longevity and minimal detection, indicating the attackers’ intent to maintain long-term access to sensitive internal communications and resources.
Multi-Year Persistence
Evidence points to repeated intrusion attempts in 2023, 2024, and continuing into 2025, signaling a sustained espionage operation. The attackers demonstrated adaptability, modifying lures and infrastructure as needed over time. This level of persistence is typical of state-sponsored cyber actors, particularly those focused on strategic intelligence gathering rather than financial gain.
Furthermore, the infrastructure, malware characteristics, and phishing themes bear strong resemblance to previously documented Chinese campaigns in the Middle East, especially those targeting Islamic NGOs and diplomatic organizations.
Attribution and Overlaps with Known APTs
While attribution in cybersecurity is inherently complex, Check Point’s analysis places UnsolicitedBooker squarely within the Chinese cyber-espionage ecosystem. Their behavior overlaps with activity from Space Pirates, a threat group previously implicated in Middle Eastern campaigns, as well as other unnamed Chinese-affiliated clusters operating in the region.
These overlaps include:
- The use of custom backdoors
- Thematically localized phishing lures
- Reuse of infrastructure patterns
- Connections to previously burned domains
Such patterns further bolster the assessment that MarsSnake is part of a coordinated Chinese intelligence effort.
Regional and Global Implications
This campaign underscores a continued and growing cyber risk to Middle Eastern organizations, especially those with political, economic, or religious influence. The involvement of a previously undocumented malware family suggests that Chinese cyber operations are becoming increasingly specialized, with targeted malware being developed for specific regions or organizations.
From a broader perspective, this incident serves as a reminder for all global enterprises—especially those operating in geopolitically sensitive regions—to enhance their email security, endpoint monitoring, and user awareness training.
Recommendations
Security experts advise organizations to:
- Disable macro execution by default in Office applications
- Monitor unusual outbound traffic patterns
- Implement robust phishing simulation and awareness training
- Employ behavior-based threat detection tools
- Regularly update security patches and endpoint protection
As nation-state adversaries refine their tradecraft, proactive defense strategies become essential in protecting critical infrastructure and sensitive information from persistent threats like MarsSnake.