When Espionage Moves Next Door: UnsolicitedBooker's Pivot to Central Asian Telecom Networks

UnsolicitedBooker, a China-aligned APT, conducted targeted spear-phishing campaigns from 2023–2026—initially focusing on a Saudi international organization using the MarsSnake backdoor, then pivoting to Kyrgyz and Tajik telecom providers using a new LuciDoor backdoor and loader rotation. The group favors macro-enabled Office documents, encrypted C2 channels, and compromises legitimate routers (notably with an identifiable PolarSSL/Mbed TLS fingerprint) to mask infrastructure; these actions underscore the intelligence value of telecom networks and highlight persistent risk to Central Asian telecommunications.