New research from Check Point Software Technologies shows that China-nexus cyber-espionage activity has targeted entities in Qatar, with campaigns emerging almost immediately after the latest escalation in the Middle East. Researchers observed that a China-linked threat actor known as Camaro Dragon attempted to deploy a variant of the PlugX backdoor against Qatari targets within a day of the start of the regional crisis.
The attackers used conflict-related themes to make their lures appear credible, including archives disguised as images of missile strikes near a U.S. base in Bahrain. Once executed, the malicious files triggered a multistage infection chain that ultimately delivered PlugX, a modular backdoor capable of remote command execution, keystroke logging, screen capture, and data exfiltration.
On March 1, one day after the escalation in the Middle East began, Check Point Research observed targeted cyber campaigns against entities in Qatar that used conflict-related content as lures to blend in with legitimate regional communications. In one infection chain, the threat actor distributed an archive disguised as photos of attacks on American bases in Bahrain.
“When executed, a LNK file from the archive starts an unusually long infection chain: it contacts a compromised server to retrieve the next-stage payload, eventually abusing DLL hijacking of the legitimate Baidu NetDisk binary to deploy the PlugX backdoor,” the Check Point Research team wrote in a Monday blog post. “PlugX is a modular backdoor associated with multiple Chinese-nexus threat actors since at least 2008. Its plugin-based architecture enables remote access and a wide range of post-compromise functions, including file exfiltration, screen capture, keystroke logging, and remote command execution.”
The team identified that the PlugX sample uses the configuration encryption key qwedfgx202211 together with a date-formatted payload decryption key (20260301@@@ in this instance), both of which have been observed in prior campaigns attributed to Camaro Dragon, the China-nexus APT overlapping with clusters publicly reported as Earth Preta and Mustang Panda.
The researchers highlighted that the infection vector was not unique to the Qatar campaign. “Check Point Research observed the same delivery method several months earlier, in late December, in attacks against Turkish military targets. This consistency suggests that the cluster maintains a broader Middle East targeting focus, with operations now shifting toward entities in Qatar as the current regional environment creates new targeting opportunities.”
The report also identified a second campaign likely targeting Qatari organizations that used geopolitical themes to deliver additional malware. In this operation, attackers distributed a password-protected archive titled ‘Strike at Gulf oil and gas facilities,’ reportedly sent via email and containing low-quality AI-generated lures impersonating Israeli government messaging.
The attack deployed a previously unseen Rust-based loader that abused DLL hijacking before delivering the Cobalt Strike framework, commonly used by threat actors for reconnaissance and post-compromise activity.
“Check Point Research observed another attack presumably targeting Qatar and using a password-protected archive named Strike at Gulf oil and gas facilities[dot]zip, likely delivered via email,” according to the Check Point blog. “The campaign employed low-quality AI-generated lures impersonating the Israeli government to deliver a previously unseen Rust-based loader. This loader exploits DLL hijacking of nvdaHelperRemote[dot]dll, a component of the open-source screen reader NVDA.”
It added that “abuse of this component has previously been observed in only a limited number of Chinese-nexus campaigns, including China-aligned activity associated with a campaign delivering Voldemort backdoor, as well as a wave of attacks targeting the Philippines and Myanmar back in 2025.”
The researchers observed that the final payload deployed in this operation was Cobalt Strike, a penetration testing framework that is often repurposed for malicious activity. “Threat actors frequently use it as an initial-stage payload to perform rapid reconnaissance on newly compromised systems and networks, allowing them to assess the environment and determine whether deeper full-on intrusion activity is justified.”
“With low confidence, this attack is assessed as China-aligned,” according to the post. “The use of DLL hijacking using NVDA components, Cobalt Strike, and C2 infrastructure registered via Kaopu Cloud and Cloudflare matches TTPs previously associated with Chinese threat actors, while the attack timestamps provide additional supporting context.”
China-linked cyber activity in the Gulf has historically received less public attention than operations in other parts of the Middle East, but recent campaigns suggest this may be changing. The activity identified by Check Point Research indicates that major geopolitical developments can quickly reshape intelligence priorities. In the immediate aftermath of the latest regional escalation, researchers observed at least two separate China-nexus threat actors targeting entities in Qatar using conflict-related lures designed to blend into the region’s fast-moving communications environment.
Taken together, the incidents illustrate how rapidly state-aligned espionage groups can pivot their operations in response to geopolitical events. The near-immediate focus on Qatar likely reflects both opportunistic intelligence collection tied to the unfolding crisis and a broader shift in attention toward a country positioned at the intersection of several competing regional and global powers and interests.
Back in July 2023, researchers at Check Point Software Technologies reported a cyber-espionage campaign known as SmugX, attributed to the China-linked threat actor Camaro Dragon. The operation targeted government and diplomatic organizations across Europe, particularly foreign affairs ministries and policy institutions. The attackers relied on carefully crafted spear-phishing lures tied to European political and diplomatic issues, including invitations to conferences and policy documents, suggesting a broader intelligence-collection effort focused on European governance and foreign policy.
The campaign used HTML smuggling techniques to conceal malicious payloads within seemingly harmless HTML attachments. When opened, the files triggered a multi-stage infection chain that ultimately delivered variants of the PlugX remote access trojan. Once installed, the malware enabled extensive espionage capabilities, including remote command execution, keystroke logging, screen capture, and data exfiltration. Researchers noted that the campaign demonstrated the continued use of established tools and stealthy delivery methods by China-aligned actors such as Camaro Dragon to infiltrate high-value government targets.
