Chinese-Linked Hackers Target Qatar Amid Middle East Escalation Using PlugX and Cobalt Strike

CyberDefender 10 mins0

Following the recent escalation in the Middle East, Check Point Research detected a noticeable rise in activity from Chinese-linked advanced persistent threat (APT) groups across the region, with Qatar emerging as a primary target.

One of these groups, known as Camaro Dragon, attempted to deploy a modified version of the PlugX malware against Qatari entities within a day of the launch of Operation Epic Fury and the beginning of the broader regional escalation.

The attackers took advantage of the ongoing conflict to craft more convincing and timely phishing lures. By referencing breaking developments from the war, they were able to make their malicious content appear legitimate and relevant, demonstrating how quickly threat actors can adjust their tactics in response to major geopolitical events.

The use of tools such as PlugX and Cobalt Strike also highlights the group’s reliance on widely available and relatively simple frameworks that enable rapid deployment during the early stages of an operation.

Missile Strikes in Bahrain Used as a Lure

On March 1, just one day after tensions escalated in the Middle East, Check Point Research began detecting targeted campaigns aimed at organizations in Qatar. These campaigns incorporated conflict-related themes in their lures, allowing malicious messages to blend seamlessly into the fast-moving information flow surrounding the regional crisis.

In one infection chain observed by researchers, the attackers distributed an archive file disguised as images showing damage from attacks on American bases in Bahrain.

Figure 1 – Lure titled “The destruction caused by an Iranian missile strike around the US base in Bahrain”.

When opened, a LNK file inside the archive triggered a complex and unusually long infection chain. The file contacted a compromised server to download the next stage of the attack. Ultimately, the attackers exploited DLL hijacking involving the legitimate Baidu NetDisk application in order to deploy the PlugX backdoor.

Figure 2 – Infection chain used to deploy PlugX.

PlugX is a modular backdoor that has been linked to multiple China-associated threat groups since at least 2008. Its plugin-based design allows attackers to remotely control infected systems and carry out numerous post-compromise actions, including:

  • Exfiltrating files
  • Capturing screenshots
  • Logging keystrokes
  • Executing commands remotely

The PlugX sample identified in this campaign used the configuration encryption key qwedfgx202211, along with a payload decryption key formatted as a date (20260301@@@ in this case). Both keys have appeared in earlier operations attributed to Camaro Dragon, a China-aligned APT cluster also known publicly as Earth Preta or Mustang Panda.

Notably, this delivery method was not exclusive to the Qatar campaign. Check Point Research previously identified the same technique several months earlier—in late December—during attacks against Turkish military targets. This recurring approach suggests that the group maintains a broader operational focus across the Middle East and has recently shifted attention toward Qatari organizations as regional tensions created new intelligence-gathering opportunities.

Strike on Gulf Oil and Gas Facilities Used as a Lure

In a separate campaign, researchers identified another operation likely targeting Qatar. This attack used a password-protected archive named “Strike at Gulf oil and gas facilities.zip”, which was likely distributed through email.

The archive contained low-quality AI-generated lure documents impersonating the Israeli government. These lures delivered a previously undocumented Rust-based loader.

The loader exploited DLL hijacking involving nvdaHelperRemote.dll, a component of the open-source screen reader NVDA. Abuse of NVDA components has only been observed in a small number of campaigns linked to Chinese-aligned actors. Previous incidents included a campaign distributing the Voldemort backdoor, as well as a wave of attacks targeting the Philippines and Myanmar in 2025.

Figure 3 – Lure used as part of the Cobalt Strike infection.

The final payload delivered in this operation was Cobalt Strike, a legitimate penetration-testing framework that is frequently repurposed by threat actors for malicious purposes.

Attackers often use Cobalt Strike as an initial payload to conduct rapid reconnaissance on newly compromised systems. This allows them to evaluate the network environment and determine whether further intrusion activity is worthwhile.

Figure 4 – Infection chain used to deploy Cobalt Strike.

Although attribution remains low confidence, several elements suggest that this campaign may also be aligned with Chinese threat actors. These include the use of NVDA-based DLL hijacking, deployment of Cobalt Strike, and command-and-control infrastructure registered through Kaopu Cloud and Cloudflare—all tactics previously observed in Chinese cyber-espionage operations. The timing of the attack also aligns with this assessment.

Outlook: Shifting Focus of China-Linked Actors in the Middle East

Historically, the Gulf region has received less attention in public reporting on China-linked cyber activity compared to other parts of the Middle East. However, the campaigns observed in this case indicate that significant geopolitical developments can rapidly influence threat actor priorities.

Immediately following the recent escalation in the Middle East, Check Point Research identified at least two distinct threat actors targeting organizations in Qatar. Both campaigns used conflict-related themes designed to blend into the region’s fast-paced information environment.

These incidents illustrate how quickly Chinese-linked espionage groups can pivot their operations in response to global events. The swift targeting of Qatar may reflect opportunistic intelligence collection tied to the regional crisis, but it could also signal a broader strategic shift toward a country positioned at the intersection of multiple competing regional and global interests.

Indicators of Compromise (IOCs)

File Hashes

4d8027424b5bcd167ab70c8320ce3c5df72a9ecca01246b095e4af498f77725d
fff7864019b651bea2448228d6557d995edc929276bb9d8cb34c3c280a42684e
fa3a1153018ac1e1a35a65e445a2bad33eac582c225cf6c38d0886802481cd43
a7c56033f2264c71b0485da693e3f627b2b5ccfe3399a53cc558be77f95d9c13
c78eb1cecef5f865b6d150adcf67fa5712c5a16b94f1618c32191e61fbe69590
1ddbed0328a60bb4f725b4ef798d5d14f29c04f7ffe9a7a6940cacb557119a1c
26d10996fd2880441445539cd8a6e7fe0777f6ca3352dae6ef84d1d747aabb0c
a9de383c6a1b00c9bd5a09ef87440d72ec7fc4bcd781207b3cace2f246788d4d
b58ec14b0119182aef12d153280962ad76c30e3cd67533177d55481704eba705
a8acb9864e6f64323ed75e69038ca9bfe76f7b1b0d24ec7df8ac07b6dbd641a3

IP Addresses

185.219.220.73
91.193.17.117

Domain

almersalstore[.]com

CyberDefender