A cybersecurity threat group known as UnsolicitedBooker has shifted its focus to telecommunications providers in Central Asia, deploying previously unseen malware tools in a new campaign. According to a report published last week by the security firm Positive Technologies, the group has been observed targeting companies in Kyrgyzstan and Tajikistan. This activity marks a significant geographic pivot from the group’s prior operations, which were concentrated on entities in Saudi Arabia.
The attacks involve the deployment of two distinct backdoors, codenamed LuciDoor and MarsSnake. These tools provide attackers with remote access to compromised systems, allowing for data theft, surveillance, and further network penetration. The report details that the group used several methods to gain initial access and maintain persistence on the targeted networks.
Technical Details of the Attack
Positive Technologies’ analysis indicates that UnsolicitedBooker employs a multi-stage infection chain. The initial compromise vector was not explicitly detailed in the public summary, but such campaigns often begin with spear-phishing emails containing malicious attachments or links. Once inside a network, the attackers deploy their custom backdoors.
LuciDoor is described as a sophisticated backdoor capable of executing commands, uploading and downloading files, and performing system reconnaissance. MarsSnake serves a similar purpose but is believed to have different operational characteristics, suggesting the group uses multiple tools for redundancy or specific tasks. The use of two unique backdoors in a single campaign is notable and indicates a well-resourced operation.
Shift in Regional Focus
The targeting of telecommunications firms in Kyrgyzstan and Tajikistan represents a clear expansion of UnsolicitedBooker’s interests. Telecommunications companies are high-value targets for state-sponsored or financially motivated hackers due to the vast amounts of sensitive customer data they hold and their critical role in national infrastructure.
Compromising such networks can facilitate espionage, large-scale data harvesting, or even disruption of communications. The shift from the Middle East to Central Asia may reflect changing geopolitical interests, the exploration of less-defended targets, or the pursuit of specific intelligence gathered from these regions.
Industry and Security Response
The disclosure by Positive Technologies serves as a warning to the global telecommunications sector and other critical infrastructure operators. Security researchers emphasize the importance of robust email filtering, endpoint detection and response systems, and regular security audits to defend against such advanced persistent threats.
While the specific motivations behind UnsolicitedBooker’s campaign remain unconfirmed, the techniques and tools used align with those commonly associated with sophisticated cyber-espionage groups. The identity and national affiliation of the hackers were not addressed in the public report.
Based on the available information, cybersecurity professionals anticipate that UnsolicitedBooker will continue to refine its tools and tactics. The group may expand its targeting to other sectors within Central Asia or to neighboring regions. The cybersecurity community is expected to release further technical indicators of compromise to help network defenders identify and block these threats. Law enforcement and intelligence agencies in the affected countries are likely investigating the incidents to attribute responsibility and understand the full scope of the breach.
Source: Positive Technologies
