Telecommunication operators in Kyrgyzstan and Tajikistan have become targets of a prolonged, multi‑stage advanced persistent threat (APT) campaign uncovered by Positive Technologies. The attackers used rare Chinese-origin tools and two separate backdoors, LuciDoor and MarsSnake, disguising them as legitimate Microsoft components to establish long‑term, covert access to critical telecom infrastructure.
Why telecom operators are high‑value targets for APT groups
Telecom companies consistently rank among the most attractive targets for state-aligned and financially motivated threat actors. Successful compromise gives attackers access to subscriber databases, call metadata, SMS records, and traffic routing infrastructure, enabling large-scale surveillance and follow‑on attacks against government and corporate customers.
According to open industry reporting from organizations such as ENISA and Mandiant, telecom operators are disproportionately represented in global APT activity. Persistent access to core networks allows adversaries to monitor targets over months or years, move laterally into adjacent sectors, and, in extreme cases, intercept or manipulate communications.
First wave of attacks: phishing on Kyrgyz telecoms and LuciDoor deployment
The first observed wave, in late September 2025, was directed at telecom operators in Kyrgyzstan. The attackers relied on phishing emails sent from Hotmail and Outlook accounts, posing as potential customers requesting information about mobile tariffs. Each message contained a document lure that displayed an image urging the recipient to “enable content,” thereby triggering a malicious macro.
The targeting was only loosely tailored: a document prepared for one company was sometimes sent to a different operator. However, the telecom-related theme aligned with normal business correspondence, increasing the likelihood that staff would trust and open the attachments.
Perfrom.exe loader and LuciDoor: impersonating Microsoft OneDrive
When the macro was activated, it downloaded a loader named Perfrom.exe, carrying an icon mimicking Microsoft OneDrive. This loader decrypted its configuration using the RC4 algorithm, created a hidden window titled OneDriveLauncher, and then reflectively loaded the main payload — the LuciDoor backdoor — directly into memory. Reflective loading avoids writing the malware as a standalone file to disk, complicating detection by traditional antivirus solutions.
Once running, LuciDoor attempted to contact its command‑and‑control (C2) servers. If direct outbound connections failed, it tried to route traffic via the system proxy or fallback C2 nodes embedded for use inside the victim’s infrastructure. The backdoor collected basic host information, downloaded additional tools, and supported remote command execution, file operations, and data exfiltration, effectively turning compromised workstations into controllable footholds inside the operator’s network.
Second wave: MarsSnake backdoor and DLL side‑loading via Microsoft binaries
A second wave of attacks in late November 2025 again targeted Kyrgyz telecom operators but introduced a new payload: the MarsSnake backdoor. MarsSnake had been previously mentioned in ESET’s public reporting, but its technical details remained limited until this campaign.
A defining feature of MarsSnake is its configuration architecture. Operators can change C2 parameters and behavior by updating the loader’s settings without recompiling the backdoor binary itself. After persistence is established, MarsSnake enumerates system information, calculates a unique victim identifier, and transmits this data to the C2, enabling attackers to prioritize and manage infected hosts.
For deployment, the threat actors used DLL side‑loading, a technique that abuses the way Windows loads dynamic link libraries. A legitimate, correctly signed executable, Microsoft Plasrv.exe, was used to load a tampered PDH.DLL. Because Windows implicitly trusts the signed binary and searches for required DLLs in specific directories, the malicious DLL could be substituted for the original without raising obvious alarms, helping bypass security controls that focus on detecting known malicious executables.
Language artifacts and links to Chinese-origin tooling
Analysis of the phishing documents revealed interesting language artifacts. While the visible content was written in Russian, internal settings referenced Arabic, English, and Chinese. Some document fields pointed to the use of a Chinese-language Office suite or templates originally created in Chinese.
Positive Technologies also noted the use of uncommon Chinese-origin tools and overlaps in tactics, techniques, and procedures (TTPs) with the East Asian APT cluster often referred to as UnsolicitedBooker. At the same time, the researchers stress that direct attribution based solely on such artifacts is unreliable: different actors can share or deliberately replicate tooling and templates, and false flags remain a known technique in high-end operations.
Third wave: shift to Tajikistan and updated LuciDoor delivery
In January 2026, the campaign’s focus moved primarily to telecom operators in Tajikistan. The delivery method was adjusted: instead of an attached document, phishing emails contained a link to a malicious file that still displayed an image prompting users to enable content, but now in English. This change may indicate a desire to reuse lures across a broader geographic scope or standardize templates for other regions.
The attackers continued to rely on LuciDoor as a core implant, but with an updated configuration, underscoring its role as a key tool for maintaining long‑term access within telecom environments.
Impact on the telecom sector and practical defense strategies
These incidents in Kyrgyzstan and Tajikistan align with the global trend of increasing targeted APT campaigns against telecom operators. Beyond exposure of commercially sensitive data and subscriber information, compromise of telecom infrastructure opens the door to traffic interception, metadata collection, and subsequent attacks on government agencies and enterprises that depend on these networks.
Risk reduction requires a combination of technical controls and organizational measures. Strengthening corporate email security is critical: multi‑layer filtering of attachments and URLs, default blocking of macros from external sources, and regular staff training to recognize phishing attempts significantly reduce initial compromise opportunities.
On endpoints and servers, telecom operators should implement application control policies (such as AppLocker or equivalent solutions) and monitor unusual DLL loading behavior to limit the effectiveness of DLL side‑loading. Continuous monitoring of network traffic and workstation activity, backed by up‑to‑date threat intelligence, helps quickly identify and block C2 infrastructure and indicators of compromise (IOCs) associated with LuciDoor, MarsSnake, and similar toolsets.
Regular security assessments, strict network segmentation, and active information sharing with sector‑specific CERTs and security vendors significantly shorten the dwell time of APT actors inside telecom environments. By investing in these controls now, operators can strengthen their role as a trusted backbone for national digital infrastructure and substantially limit the potential impact of future advanced attacks.
