In recent months a disturbing movement has been observed on the map of cyberespionage: an actor known as A request has moved its focus and now it is leading operations against telecommunications providers in Kyrgyzstan and Tajikistan, after a previous phase in which its activities focused on Saudi entities. The report of the Russian firm Positive Technologies provides a detailed X-ray of these intrusions and describes the use of two back doors written in C + + that are named after LuciDoor and MarsSnake, in addition to the loaders who deliver them to the compromised systems ( Positive Technologies report).
The attack chain used by the group is classic but effective: the attackers send phishing emails that include a Microsoft Office document as a decoy. When opening it, the victim receives the usual request to activate the macros - that button " Enable Content"that so many problems causes - and, once activated, the macro drops a small charger in C + + (LuciLoad or MarsSnakeLoader) that in turn installs the corresponding back door.
From a technical point of view, both back doors perform regular functions in espionage campaigns: they collect system metadata, establish communication with a command and control server (C2), exfilter information in encrypted form and accept remote instructions to run commands, write or extract files. Although their capabilities are similar, analysts highlight tactical changes in time: the actor started using LuciDoor, passed to MarsSnake and, as early as 2026, returned to the first implant, suggesting operational adaptations and efficacy tests.
There are other relevant details in the investigation. In some incidents MarsSnake was deployed without the need for an intermediate charger: the starting point was a direct Windows access (* .doc.lnk) that simulated a Word document, executed a batch script that invoked a Visual Basic Script and thus launched the back door. Positive Technologies links that technique to a public pentesting tool called FTPlnk _ phishing, due to coincidences in forensic markers such as the time of creation of the LNK and the machine identifier.
The researchers also point to a curious mix of the sources of the tools: many seem to have roots or inspiration in Chinese developments, which are rare in the campaigns the victims have faced. In addition, in at least one case the attackers used a committed router as a C2 server and, according to the report, part of their infrastructure imitated Russian network features, a tactic aimed at distracting possible investigations into the actual origin of the attack.
This actor does not appear out of nowhere: ESET had already documented UnsolicitedBooker in 2025 when he detected an operation that affected an international organization in Saudi Arabia using MarsSnake. The group's history, with activity attributed since March 2023, shows a wide geographical orientation including Asia, Africa and the Middle East, and operational traces that overlap with other threat clusters, such as Space Pirates and campaigns attributed to other backdoors such as Zardoor.
The phenomenon is not limited to this actor. At the same time, the security community has documented subplanting and mymetism tactics between groups: an entity was born named by Russian researchers as PseudoSticky, which seems to imitate a pro-Ukrainian collective called Sticky Werewolf and has directed attacks against Russian organizations using Trojans such as RemcosRAT and DarkTrack RAT. F6 analysts believe that similarity is deliberate and that, despite appearance, there are clear differences in infrastructure and methodology that indicate no direct link between clusters.
Another actor, identified as Cloud Atlas, has used remote templates in Word documents to exploit known vulnerabilities - a modus operandi that remembers previous campaigns - and distribute malware like VBShower and VBCloud. The Solar company describes how malicious documents load remote templates from a C2 and exploit vulnerabilities like CVE-2018-0802 to start the engagement chain ( Solar analysis).
What is highlighted in this set of incidents is the persistence of the initial vector: the combination of social engineering with ophimatic devices continues to work because users continue to enable macro or open links and files without checking their origin. In addition, the use of C + + loaders and variants that avoid the intermediate phase show that attackers seek flexibility to draw traditional, signature-based defenses.
For organizations, and in particular for telecommunications providers handling critical infrastructure and large data volumes, the practical lessons are clear. It is essential to tighten the policies for the management of incoming documents, to deactivate the default macros and to educate the teams on specific decals (e.g. false rates or contracts for billing staff). Network segmentation, the use of detection of anomalies in outgoing traffic, and monitoring of log on edge devices, such as routers, help to detect C2 servers using compromised equipment.
Incident response teams should also maintain artefacts analysis routines: compare metadata (LNK file creation dates, Machine IDs), identify persistent chargers and verify whether remote templates are used in Office documents. Public reports from security companies remain a valuable guide to recognizing emerging commitment indicators and tactics; in addition to the Positive Technologies analysis, it is worth consulting general reference material on threats and mitigation practices in resources such as the ESET research portal ( WeLiveSecurity) and historical analysis of campaigns with NKs as published by Darktrace.
In a picture of threats where actors change tactics and copy each other, the combination of good technological practices, continuous awareness and access to open source intelligence is the best defense to stop invasions that, like those starring UnsolicitedBooker, seek to take advantage of a human window to release sophisticated implants.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...
PinTheft the public explosion that could give you root on Arch Linux
A new public explosion has brought to the surface again the fragility of the Linux privilege model: the V12 Security team named the failure as PinTheft and published a concept t...