Cybersecurity researchers at ESET have detailed the tactics of a China-aligned threat group dubbed UnsolicitedBooker, which targeted an international organization in Saudi Arabia using a previously undocumented backdoor called MarsSnake.
First detected in March 2023 and resurfacing a year later, the campaign involved spear-phishing emails masquerading as flight ticket bookings, a tactic aimed at luring victims into opening malicious attachments or links. In the most recent incident from January 2025, the attackers impersonated Saudia Airlines, sending phishing messages to the same Saudi-based target.
According to ESET's APT Activity Report, UnsolicitedBooker’s operations have been focused on governmental organizations across Asia, Africa, and the Middle East. The group’s toolset includes known Chinese cyber-espionage malware such as Chinoxy, DeedRAT, Poison Ivy, and BeRAT.
MarsSnake, the newest backdoor in the group's arsenal, has not been seen in prior operations. ESET believes the actor shares operational similarities with the Space Pirates cluster and another unnamed group that previously deployed the Zardoor backdoor against Islamic non-profits in Saudi Arabia.
Beyond UnsolicitedBooker, ESET reported continued activity by other China-aligned actors, with Mustang Panda leading the activity, using Korplug and USB-based attacks. DigitalRecyclers, PerplexedGoblin, and Webworm focused on EU governments, using tools like RClient, NanoSlate, and SoftEther VPN. Other groups like ShadowPad and Worok deployed shared toolsets, sometimes blurring attribution.
ESET’s latest threat intelligence also highlights ongoing cyber-espionage and financially motivated campaigns by various nation-state actors throughout early 2025:
Iran-aligned actors remained aggressive, with MuddyWater and Lyceum launching spearphishing attacks and targeting Israeli and Central Asian entities. CyberToufan conducted destructive wiper attacks against Israeli organizations, indicating a shift toward sabotage.
North Korea-aligned groups emphasized financial gain. DeceptiveDevelopment used fake job postings and GitHub exploits to spread malware like WeaselStore. The TraderTraitor group was linked to a $1.5 billion crypto theft via a Safe{Wallet} compromise. Kimsuky, Konni, and Andariel renewed activity, shifting focus to South Korean targets.
Russia-aligned threat actors focused on Ukraine and the EU. Sednit expanded its webmail exploitation campaign (Operation RoundPress) and used zero-day vulnerabilities. Gamaredon enhanced malware stealth and introduced PteroBox. Sandworm escalated attacks on Ukraine's energy sector with a new wiper, ZEROLOT.
Other notable groups included APT-C-60 (targeting individuals in Japan), StealthFalcon (espionage in Türkiye and Pakistan), and an unidentified actor impersonating the World Economic Forum to phish Ukrainian officials.
