A Chinese-linked advanced persistent threat group known as Camaro Dragon launched a targeted cyberespionage campaign against entities in Qatar just one day after the outbreak of new hostilities in the Middle East on March 1, 2026.
The group used war-themed lure documents designed to look like urgent, real-world communications tied to Operation Epic Fury, tricking recipients into opening malicious files that silently installed the PlugX backdoor on their machines.
The timing of this campaign was striking. Within 24 hours of the regional escalation, the threat actors had already prepared and deployed carefully crafted phishing archives that mimicked legitimate conflict-related content, blending into the flood of communications circulating during major geopolitical events.
This speed shows how rapidly Chinese-nexus APT groups can pivot when a significant development occurs, turning breaking news into a weapon.
Check Point analysts identified two separate infection campaigns running in parallel, both directed at Qatar and each using different delivery mechanisms and final payloads, pointing to the involvement of at least two distinct threat actor clusters.
The broader impact extends beyond a single organization or government office. Qatar sits at a crossroads of regional and global influence, maintaining ties with competing powers in the Middle East and beyond.
A successful compromise could give Chinese intelligence services access to sensitive communications and strategic data of considerable geopolitical value.
These campaigns also mark a clear shift in Chinese-nexus targeting priorities, as the Gulf region had not previously featured this prominently in public reporting on state-sponsored espionage.
.webp)
The same delivery method was observed in late December 2025 against Turkish military targets, suggesting this cluster maintains a sustained focus on the broader Middle East.
The near-immediate pivot to Qatar following the escalation shows these actors were already primed and positioned, waiting for the right moment to strike.
DLL Hijacking and Multi-Stage PlugX Deployment
The first campaign opened with an archive file disguised as photos documenting missile strikes on American bases in Bahrain.
When a victim opened and ran the archive contents, a Windows shortcut (.LNK) file quietly triggered a long, multi-stage infection chain that first reached out to a compromised remote server to retrieve the next-stage payload, before ultimately abusing DLL hijacking of the legitimate Baidu NetDisk application binary to load and silently execute the PlugX backdoor.
.webp)
PlugX is a modular backdoor tied to multiple Chinese-nexus threat actors since at least 2008. Its plugin-based design allows attackers to carry out a wide range of post-compromise tasks — stealing files, capturing screenshots, recording keystrokes, and running remote commands — without drawing unnecessary security attention.
The PlugX sample from this campaign used the configuration encryption key qwedfgx202211 and a date-formatted decryption key (20260301@@@), both previously observed in campaigns attributed to Camaro Dragon, also known as Earth Preta and Mustang Panda.
The second campaign used a password-protected archive named “Strike at Gulf oil and gas facilities.zip,” likely delivered via email.
It relied on low-quality AI-generated lures impersonating the Israeli government and deployed a previously unseen Rust-based loader that abused DLL hijacking through nvdaHelperRemote.dll, a component of the open-source screen reader NVDA, to ultimately drop Cobalt Strike as its final payload.
C2 infrastructure ran through Kaopu Cloud and Cloudflare, matching tactics, techniques, and procedures associated with prior Chinese-nexus activity.
.webp)
Organizations across the Gulf region should treat all conflict-themed email attachments with extreme caution, especially during periods of active geopolitical tension.
Security teams are strongly advised to monitor for DLL hijacking involving trusted third-party applications, block known malicious indicators including IPs 185.219.220.73 and 91.193.17.117 and domain almersalstore[.]com, and keep endpoint detection tools updated to recognize PlugX variants and Cobalt Strike beacon activity on their networks.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
