MarsSnake Malware Linked to Chinese Cyber Espionage Campaign Targeting Saudi Arabia
- SISA Weekly Threat Watch -

In the past week, critical cybersecurity threats have emerged, with significant vulnerabilities being reported across various platforms. Recent cybersecurity incidents include:
- TransferLoader – a multi-component malware loader used in stealthy intrusion campaigns, targeting enterprise organizations globally through phishing emails to deploy backdoors and ransomware like Morpheus.
- Skitnet (also known as Bossnet) – a post-exploitation tool adopted by ransomware groups such as BlackBasta and Cactus, targeting organizations in Europe and North America via phishing emails, including Microsoft Teams lures.
- Defendnot – a tool that disables Microsoft Defender by spoofing antivirus registration, observed in targeted attacks against enterprise Windows users through injection into trusted system processes and persistence via Task Scheduler.
- PureRAT and PureLogs – part of a multi-stage phishing campaign targeting Russian organizations, delivered through deceptive .RAR attachments or links that enable credential theft and remote access.
- MarsSnake – a custom backdoor deployed by the China-aligned APT group UnsolicitedBooker, targeting a Saudi Arabian organization and other government entities across Asia, Africa, and Europe via spear-phishing emails themed around flight bookings.
These developments underscore the urgent need for organizations to stay vigilant and apply security updates promptly.
SISA Weekly Threat Watch – our weekly feature brings to you a quick snapshot of all the major security vulnerabilities that posed a threat to organizations worldwide. These recurring actionable threat advisories will also provide information and recommendations that will help security teams take appropriate actions to defend against the latest and critical threats.
1. TransferLoader Malware Analysis: Obfuscation, Backdoors, and C2 Evasion via IPFS
TransferLoader is a sophisticated multi-component malware loader active since February 2025, identified by cybersecurity researchers. Designed for stealthy intrusion campaigns, it deploys secondary payloads like Morpheus ransomware using advanced evasion tactics—anti-debugging, string encryption, code obfuscation, and fallback C2 communication via IPFS. Its modular architecture includes a downloader, backdoor loader, and a backdoor with persistence via registry hijacking and COM hijack techniques. Payloads are encrypted using AES-CBC with custom key expansion and Base32 encoding. To detect and mitigate such threats, organizations should deploy robust EDR solutions to catch obfuscated execution chains and suspicious registry activity, monitor for unusual User-Agent strings and IPFS connections, and develop YARA rules for XOR decryption patterns and API resolution via hashing. Threat hunting should focus on memory-resident payloads and PE sections like .dbg. Security teams are advised to simulate IPFS fallback scenarios and COM hijacks to test resilience against ransomware risks introduced by TransferLoader.
2. Skitnet: The Rising Post-Exploitation Malware Empowering Ransomware Gangs
Skitnet (also known as Bossnet) is a stealthy post-exploitation malware adopted by ransomware groups like BlackBasta and Cactus since early 2025. Sold cheaply on underground forums, it offers powerful persistence, DNS-based covert communication, and remote control via PowerShell—all loaded through a Rust and Nim-based chain. It supports commands for persistence (DLL hijack), surveillance (screenshot to Imgur), and stealthy remote access tools like Anydesk and RUT-Serv. Commands are issued via a C2 panel with DNS or HTTP communication. Its modular, low-attribution design makes it ideal for fast, covert intrusions. To defend against Skitnet, organizations should monitor DNS traffic for anomalies, deploy EDR/XDR to detect in-memory PowerShell and DLL hijacks, block suspicious remote tools, and enforce DNS filtering. Awareness training for phishing via platforms like Teams and regular AV audits are also critical to early detection and response.
3. Tool Exploits Undocumented API to Disable MS Defender via Fake AV Registration
Defendnot is a recently discovered tool that disables Microsoft Defender by spoofing antivirus registration through an undocumented Windows Security Center (WSC) API. Created by a cybersecurity researcher, it injects a fake antivirus DLL into a trusted process like Taskmgr.exe, tricking Windows into thinking Defender is no longer needed—effectively deactivating it. Built on the no-defender project, Defendnot avoids copyright issues and uses Task Scheduler for persistence. Though Microsoft now flags it as malware, it initially evaded detection. To defend against such tactics, organizations should block unauthorized access to the WSC API, enable tamper protection in Defender, monitor for DLL injections and abnormal use of Task Scheduler, and deploy EDR tools that detect suspicious process behaviors and spoofed AV registrations. Regular audits should verify the integrity of Defender and flag unexpected AV configurations.
4. PureRAT and PureLogs Deployed in Sophisticated Phishing Attacks
A surge in phishing attacks targeting Russian organizations in early 2025 has seen activity quadruple from the previous year. The campaign deploys a multi-stage malware chain involving PureRAT, PureCrypter, and PureLogs to gain full system access, exfiltrate data, and maintain remote control. Delivered via phishing emails with .RAR attachments or links disguised using double extensions, the attack chain includes task.exe for persistence, DLL injection through InstallUtil.exe, and encrypted payloads to bypass detection. PureRAT enables SSL-based C2 communication, keylogging, remote desktop access, and plugin-based features like clipboard hijacking and window monitoring. PureCrypter and PureLogs run in parallel to steal credentials and sensitive data from browsers, messaging apps, VPNs, and wallets. To mitigate risks, organizations should block .rar files with misleading names, detect abnormal InstallUtil and script activity, flag suspicious outbound SSL traffic, and educate users on phishing tactics involving fake document extensions. EDR and network monitoring tools are essential for early detection and response.
5. Malware Linked to Chinese Cyber Espionage Campaign Targeting Saudi Arabia
Between 2023 and early 2025, cybersecurity researchers tracked a series of spear-phishing campaigns by a China-aligned APT group named UnsolicitedBooker. Targeting a Saudi Arabian organization and others in Asia, Africa, and Europe, the group used flight-themed emails to deliver malicious Word documents embedded with VBA macros. These macros deployed a custom backdoor named MarsSnake, which enables remote command execution and file access, communicating via a dedicated C2 domain. Related activity includes APT31’s NanoSlate backdoor and APT15-linked DigitalRecyclers’ HydroRShell, used in espionage campaigns across Europe. To defend against such threats, organizations should block Office macros from external sources, train staff on phishing tactics, and monitor for binaries like smssdrvhost.exe. EDR/XDR tools should be deployed to detect macro behavior and custom malware loaders. Regularly update threat intel feeds with relevant IOCs and analyze encrypted C2 traffic using Protobuf over TLS for anomalies. Proactive log reviews and artifact tracing from macro executions are also recommended.
To get daily updates on the critical vulnerabilities being exploited by threat actors, subscribe to SISA Daily Threat Watch – our daily actionable threat advisories.
For a deeper understanding of how you can prevent these threats from affecting your organization, request a call to get in touch with our experts.