• News
  • Positive Technologies discovers unique tools of APT group targeting telecom companies in the CIS countries
News

Positive Technologies discovers unique tools of APT group targeting telecom companies in the CIS countries

Attackers used two different backdoors1 and rare malware

Specialists from the Threat Intelligence department at Positive Technologies Expert Security Center (PT ESC TI) have identified attacks on telecommunications companies in Kyrgyzstan and Tajikistan. The attackers distributed phishing emails containing documents and links with malicious code embedded. The hackers disguised their malware as legitimate Microsoft Windows components.

In September 2025, the attackers sent phishing emails to organizations in Kyrgyzstan. The messages were sent under the guise of potential customers inquiring about mobile service rates. The emails contained an attached document that, when opened, displayed an image with text in Russian. The message claimed that to unlock the file, the user needed to run a certain script, which was actually malicious. The script downloaded the LuciDoor backdoor, which established a connection with the attackers' C2 server. If a direct connection failed, the malware would route through system proxies or other servers within the victim's infrastructure. Once connected, LuciDoor collected basic device information, downloaded programs, and exfiltrated data.

In November 2025, attacks on Kyrgyzstan resumed following the same scenario, but this time the group used the MarsSnake backdoor. This malware is notable in that its configuration can be changed without recompiling the executable file. Simply updating parameters in the loader is sufficient, saving the attackers time. Once established on the victim's device, the backdoor collects system information, calculates its unique identifier, and transmits the data to the C2 server.

1 A backdoor is malicious software or an undisclosed feature in legitimate software designed to gain unauthorized access to a system.

"Interestingly, last year's malicious documents were in Russian, yet the settings referenced Arabic, English, and Chinese. In the files, we also discovered a field indicating Chinese language usage. The attackers likely have Microsoft Office installed with the corresponding language setting, or they used a Chinese document template."

Alexander Badaev
Alexander BadaevCyberthreat Intelligence Specialist, Positive Technologies

In January 2026, the hackers shifted their focus to telecommunications organizations in Tajikistan. Instead of attaching documents, the attackers included malicious links in the phishing emails, leading to a file with an updated image (with text in English). In these attacks, the group once again used the LuciDoor backdoor, but with modified configuration.

To protect against such attacks, Positive Technologies recommends that companies improve employee cyber awareness and conduct phishing training to help staff identify malicious emails. Additionally, specialists emphasize the need for robust endpoint protection using antivirus tools such as MaxPatrol EPP and products for detecting and responding to advanced attacks, like MaxPatrol EDR. Network traffic analysis systems, particularly PT NAD, can integrate with sandboxes to extract email attachments and send them for analysis via ICAP. PT Sandbox analyzes attachments and displays its verdict in the PT NAD interface, enabling detection of malicious files before users open them.

PT ESC Malware Detection experts have also released rules for PT NAD and PT NGFW. These rules enable detection of requests indicating communication between LuciDoor and MarsSnake with C2 servers, and in the case of PT NGFW, can block them. MaxPatrol SIEM can record the incident, and when integrated with PT NAD and other products, provides detailed attack data.

During phishing campaigns, attackers often exploit vulnerabilities for privilege escalation. Organizations can strengthen their cyber resilience using MaxPatrol VM, a vulnerability management system. Key threat intelligence can be found on the PT Fusion portal.