A Chinese-linked advanced persistent threat group known as Camaro Dragon launched a targeted cyberespionage campaign against entities in Qatar just one day after the outbreak of new hostilities in the Middle East on March 1, 2026. <\/p>\n
The group used war-themed lure documents designed to look like urgent, real-world communications tied to Operation Epic Fury, tricking recipients into opening malicious files that silently installed the PlugX backdoor<\/a> on their machines.\u200b<\/p>\n The timing of this campaign was striking. Within 24 hours of the regional escalation, the threat actors had already prepared and deployed carefully crafted phishing archives that mimicked legitimate conflict-related content, blending into the flood of communications circulating during major geopolitical events. <\/p>\n This speed shows how rapidly Chinese-nexus APT groups can pivot when a significant development occurs, turning breaking news into a weapon. <\/p>\n Check Point analysts identified two separate infection campaigns<\/a> running in parallel, both directed at Qatar and each using different delivery mechanisms and final payloads, pointing to the involvement of at least two distinct threat actor clusters.\u200b<\/p>\n The broader impact extends beyond a single organization or government office. Qatar sits at a crossroads of regional and global influence, maintaining ties with competing powers in the Middle East and beyond. <\/p>\n A successful compromise could give Chinese intelligence services access to sensitive communications and strategic data of considerable geopolitical value. <\/p>\n These campaigns also mark a clear shift in Chinese-nexus targeting priorities, as the Gulf region had not previously featured this prominently in public reporting on state-sponsored espionage<\/a>.\u200b<\/p>\n The same delivery method was observed in late December 2025 against Turkish military targets, suggesting this cluster maintains a sustained focus on the broader Middle East. <\/p>\n The near-immediate pivot to Qatar following the escalation shows these actors were already primed and positioned, waiting for the right moment to strike.\u200b<\/p>\n The first campaign opened with an archive file disguised as photos documenting missile strikes on American bases in Bahrain. <\/p>\n When a victim opened and ran the archive contents, a Windows shortcut (.LNK) file quietly triggered a long, multi-stage infection chain that first reached out to a compromised remote server to retrieve the next-stage payload, before ultimately abusing DLL hijacking<\/a> of the legitimate Baidu NetDisk application binary to load and silently execute the PlugX backdoor.\u200b<\/p>\n PlugX is a modular backdoor tied to multiple Chinese-nexus threat actors since at least 2008. Its plugin-based design allows attackers to carry out a wide range of post-compromise tasks \u2014 stealing files, capturing screenshots, recording keystrokes, and running remote commands \u2014 without drawing unnecessary security attention. <\/p>\n The PlugX sample from this campaign used the configuration encryption key\u00a0 The second campaign used a password-protected archive named \u201cStrike at Gulf oil and gas facilities.zip,\u201d likely delivered via email. <\/p>\n It relied on low-quality AI-generated lures impersonating the Israeli government and deployed a previously unseen Rust-based loader that abused DLL hijacking through\u00a0 C2 infrastructure ran through Kaopu Cloud and Cloudflare, matching tactics, techniques, and procedures associated with prior Chinese-nexus activity.\u200b<\/p>\n Organizations across the Gulf region should treat all conflict-themed email attachments with extreme caution, especially during periods of active geopolitical tension. <\/p>\n Security teams are strongly advised to monitor for DLL hijacking involving trusted third-party applications, block known malicious indicators including IPs\u00a0 Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post Chinese APT Campaign Targets Qatar With PlugX Lures Tied to Middle East Conflict<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"Lure](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEha94ATf9GGHn_SY3k465twIx-E8DrkW9Iutjk2FUF9TaCRZr-7kUz6LCLr_ajkr2vjsHftL2kRa3m5V9zd0ki-bPpjfRbS-T23xD-NgYGAKLK3zQD2nO0Niu2caNM0M8zpa12GH5wwMoaXhIFsW5vqsscfx7V_stmRLOO4dTikZay3ydlfRGkYbzoaONg\/s16000\/Lure%2520titled%2520%27The%2520destruction%2520caused%2520by%2520an%2520Iranian%2520missile%2520strike%2520around%2520the%2520US%2520base%2520in%2520Bahrain%27%2520%28Source%2520-%2520Check%2520Point%29.webp?ssl=1\")
DLL Hijacking and Multi-Stage PlugX Deployment<\/strong><\/h2>\n
![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEih1vm7h4_qWZTCHQSM_COMTCTSKMtiCfSrpLb25jfWuZOX-evZ4CIcjT8xPu5j_l93ZPTLpDfpNkIJQIyWzW72azRZO_PEt09sHqc1o0ff4PRchUlJWC8trWpgqQv3imo26ugR-KfH7Uy4-5lNxRH-v-EL0Cs_6fjoT2ZqnEK24CNSdk7pX_aHPKhgB8c\/s16000\/Infection%2520chain%2520used%2520to%2520deploy%2520PlugX%2520%28Source%2520-%2520Check%2520Point%29.webp?ssl=1\")
qwedfgx202211<\/code>\u00a0and a date-formatted decryption key (20260301@@@<\/code>), both previously observed in campaigns attributed to Camaro Dragon, also known as Earth Preta and Mustang Panda<\/a>.\u200b<\/p>\nnvdaHelperRemote.dll<\/code>, a component of the open-source screen reader NVDA, to ultimately drop Cobalt Strike<\/a> as its final payload. <\/p>\n![\"Lure](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhb_8CIgpn0OpdR41rrM0UIwQhLRpaiZpf-IVCkNlq8cGD8jd2LQGvkQSVB0pgFJ2n4uWXFznGrmx5ZgEtaWm7P3qhyi9Mul7cGDBqu9ag5s4p6BDD1fhV09o3_sR-eaqdbFGWEyTb5nq8B_op_l29GqXjBTx3dLnoLOLqm4mEN9csvGTGBajhgeSdIKBk\/s16000\/Lure%2520used%2520as%2520part%2520of%2520the%2520Cobalt%2520Strike%2520infection%2520%28Source%2520-%2520Check%2520Point%29.webp?ssl=1\")
185.219.220.73<\/code>\u00a0and\u00a091.193.17.117<\/code>\u00a0and domain\u00a0almersalstore[.]com<\/code>, and keep endpoint detection<\/a> tools updated to recognize PlugX variants and Cobalt Strike beacon activity on their networks.<\/p>\n