In contrast to previous attacks directed at Saudi Arabian entities, the threat activity cluster known as UnsolicitedBooker has been observed targeting telecom companies in Kyrgyzstan and Tajikistan This article explores known unsolicitedbooker observed. . According to a report released by Positive Technologies last week, the attacks entail the deployment of two separate backdoors codenamed LuciDoor and MarsSnake.

"The group used several unique and rare instruments of Chinese origin," stated Maxim Shamanov and Alexander Badaev, researchers. ESET first reported UnsolicitedBooker in May 2025, linking the China-affiliated threat actor to a cyberattack using a backdoor called MarsSnake that targeted an unidentified international organization in Saudi Arabia.

The group has a history of attacking organizations in Asia, Africa, and the Middle East and is thought to have been active since at least March 2023.

But in 2026, the group changed their minds and started using LuciDoor again. "In addition, we saw that the attackers used a compromised router as a C2 server in at least one instance, and in certain attacks, their infrastructure resembled that of Russia." ### PseudoSticky and Cloud Atlas Target Russia The disclosure comes as a previously unknown threat actor is deliberately mimicking the tactics of a pro-Ukrainian hacking group called Sticky Werewolf (aka Angry Likho, MimiStick, and PhaseShifters) to attack Russian organizations in the retail, construction, and research sectors with malware like RemcosRAT and DarkTrack RAT for comprehensive data theft and remote control.

The new group, referred to as PseudoSticky, has been active since November 2025.

Victims are typically infected by phishing emails containing malicious attachments that lead to the deployment of the trojans. There are indications that the threat actor has relied on large language models (LLMs) to develop attack chains that drop DarkTrack RAT via PureCrypter. "A closer analysis reveals differences in the infrastructure, malware implementation, and individual tactical elements, leading us to suspect that there is likely no direct connection between the groups, but rather deliberate mimicry," Russian security vendor F6 said.