Chinese Hackers Deploy MarsSnake Backdoor in Saudi Arabia Cyberespionage Campaign
A China-linked threat actor identified as UnsolicitedBooker has been implicated in a far-reaching and highly sophisticated cyberespionage campaign that targeted a Saudi Arabian organization and several other entities across Asia, Africa, and the Middle East. The campaign, which unfolded over multiple years and was disclosed by cybersecurity firm ESET in early 2025, involved the deployment of a custom backdoor known as MarsSnake. This malicious tool was delivered via phishing emails that masqueraded as legitimate communications from Saudia Airlines.
Phishing Campaign and Attack Vector
The operation began with a wave of deceptive phishing emails designed to mimic Saudia Airlines flight bookings. These emails contained attachments that, when opened, executed malicious payloads to drop the MarsSnake backdoor onto victim systems. The attackers carefully crafted their lures to appear credible and regionally relevant, a tactic designed to increase the likelihood of successful infiltration within high-value organizations.
Once executed, MarsSnake provided the threat actors with full remote access capabilities, allowing them to execute arbitrary commands, harvest files, perform reconnaissance, and maintain long-term persistence. The malware’s stealthy nature and modular design made it particularly dangerous and hard to detect, facilitating extended intelligence-gathering operations without triggering immediate defensive responses.
Target Scope and Strategic Goals
While the campaign initially came to light due to the compromise of a Saudi Arabian entity, ESET’s telemetry indicates that the same group was active across a broader geographical footprint. Their targets included governmental and diplomatic organizations in regions of strategic importance to China’s Belt and Road Initiative (BRI), such as Southeast Asia, Sub-Saharan Africa, and the Gulf region.
The pattern of targeting reveals a strategic focus on acquiring sensitive geopolitical, economic, and energy-related intelligence. These espionage efforts align with known objectives of Chinese state-backed cyber units, which often seek to bolster China’s diplomatic and trade positioning through clandestine cyber operations.
MarsSnake Malware Capabilities
MarsSnake is a highly capable backdoor featuring a range of espionage-oriented functionalities:
- Command-and-Control (C2): Communication is managed via HTTPS, with fallback to IP-based channels for redundancy.
- File Exfiltration: Ability to scan, archive, and exfiltrate files of interest to remote servers.
- Keylogging and Credential Dumping: Built-in modules capture keystrokes and extract browser-stored credentials and session tokens.
- Persistence Mechanisms: Registry edits and scheduled tasks ensure the malware survives system reboots.
- Modular Design: MarsSnake’s plugin-like architecture allows the attackers to expand functionality dynamically as needed.
Attribution to China and UnsolicitedBooker
Although China has denied involvement in state-sponsored cyber operations, ESET and other threat intelligence groups have attributed the campaign to the UnsolicitedBooker APT with moderate to high confidence. This group shares behavioral patterns and malware infrastructure previously associated with China-based cyber units. The group’s emphasis on stealth, long dwell time, and data exfiltration further strengthens the connection to espionage motives rather than cybercrime or sabotage.
Geopolitical Implications
The timing and target selection of this campaign suggest geopolitical motivations. Saudi Arabia's strategic role in global oil production, its Vision 2030 economic transformation plan, and its partnerships with both Western and Eastern powers make it a high-value intelligence target. China’s interest in cultivating closer economic ties with Middle Eastern countries may also drive cyber-enabled intelligence-gathering to inform policy and negotiations.
The broader campaign’s focus on regions involved in China’s global expansion strategy underscores the increasing role cyber operations play in diplomatic and economic maneuvering. These activities reflect a new era of cyberespionage where traditional boundaries of warfare, diplomacy, and trade are increasingly blurred.
Defense Recommendations
Organizations, particularly those operating in geopolitically sensitive regions or sectors, should adopt the following defensive strategies to mitigate similar threats:
- Implement strict email filtering and attachment sandboxing to intercept phishing attempts.
- Deploy endpoint detection and response (EDR) tools capable of identifying abnormal behaviors like MarsSnake’s C2 activity.
- Apply the principle of least privilege to limit lateral movement and data access within networks.
- Conduct regular threat-hunting exercises focused on known MarsSnake IoCs and behavioral indicators.
- Train staff to recognize and report spear-phishing tactics, particularly those impersonating regional airlines or government agencies.
The UnsolicitedBooker campaign is another reminder of the growing sophistication and global reach of Chinese APTs. With tools like MarsSnake, adversaries are conducting nuanced, long-term espionage campaigns against critical entities across multiple continents. As cyberwarfare becomes a normalized extension of geopolitical strategy, proactive defense and international collaboration remain essential to safeguarding sensitive infrastructure and data.