Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

UnsolicitedBooker Central Asian telecom phishing campaign

Campaign
First reported
Last updated
Happening score
H score 46
1 unique sources, 1 articles

Summary

Hide ▲

The UnsolicitedBooker cluster shifted its phishing operation to telecommunications companies in Kyrgyzstan and Tajikistan, extending a multi-month campaign that matters because it delivers remote-access backdoors and data-exfiltration capability. The group used Microsoft Office documents with malicious macros to drop loaders that install LuciDoor and MarsSnake. By January 2026, the operation was still active and had adapted to send links to decoy documents instead of attachments. The activity shows a sustained Central Asian targeting pattern rather than a one-off intrusion.

Related Happenings

Webworm expanded European government and South Africa university espionage campaign

Campaign
First: 20.05.2026 14:30 Last: 20.05.2026 14:30 Sources 1

About this happening: Webworm expanded its **2025 espionage campaign** into **European government organizations** and a **university in South Africa**, widening the cross-region targeting risk. The ope...

Open Happening

Ghostwriter geofenced PDF spear-phishing campaign targeting Ukrainian government entities

Campaign
First: 14.05.2026 17:00 Last: 14.05.2026 17:00 Sources 1

About this happening: The **Ghostwriter / FrostyNeighbor** group is running a **geofenced spear-phishing campaign** against **government entities in Ukraine**, and the operation matters because it deli...

Open Happening

HeartlessSoul phishing and malvertising espionage campaign targeting aerospace firms and drone operators

Campaign
First: 11.05.2026 15:00 Last: 11.05.2026 15:00 Sources 1

About this happening: The **HeartlessSoul** operation is using **phishing** and **malvertising** to target **aerospace firms and drone operators**, raising the risk of **geospatial data theft** from co...

Open Happening

Mongolian governmental institution hit by network compromise

Incident
First: 23.04.2026 12:04 Last: 23.04.2026 12:04 Sources 1

About this happening: A **Mongolian governmental institution** was found to have **about 12 systems** infected by **GopherWhisper** backdoors, exposing a live government compromise and the potential fo...

Open Happening

Bitter Middle East spear-phishing campaign targeting civil society figures

Campaign
First: 09.04.2026 13:45 Last: 09.04.2026 13:45 Sources 1

About this happening: A **spear-phishing campaign** targeted **civil society figures in Middle Eastern countries**, including **three journalists in Egypt and Lebanon**, creating account-compromise ris...

Open Happening

Timeline

  1. 24.02.2026 11:54 2 articles · 3mo ago

    UnsolicitedBooker shifts to Kyrgyz and Tajik telecom targets

    Technical Analysis Update

    Positive Technologies identified UnsolicitedBooker targeting telecommunications companies in Kyrgyzstan and Tajikistan with phishing emails that delivered Microsoft Office documents in late September 2025, then reused the same delivery chain with MarsSnakeLoader in late November 2025 and with link-based decoy documents in January 2026; the campaign used LuciLoad to drop LuciDoor, MarsSnakeLoader to deploy MarsSnake, and represented a shift away from prior Saudi Arabian targets.

    Show sources
    Open in new tab