Check Point Research reveals that China-linked hackers, including the Camaro Dragon group, are targeting Qatar with malware disguised as Middle East conflict news. Using tools like PlugX and Cobalt Strike, these attackers are turning their focus toward the Gulf’s energy industry and military targets amid rising regional tensions.
Recent shifts in Middle Eastern politics have triggered a sudden wave of online interference. Groups linked to China have launched cyberattacks directed at Qatar, timed to coincide with a major spike in regional conflict. These actors began their operations on 1 March 2026, just one day after the launch of Operation Epic Fury. It shows just how quickly these groups can turn breaking news into a weapon to trick their targets.
Deceptive Tactics and Fake News Lures
According to Check Point Research, which detected and reported this spike, these hackers are using the chaos of the conflict to make their lures more believable. In one instance, they sent out a file disguised as photos titled “The destruction caused by an Iranian missile strike around the US base in Bahrain.” People, as we know it, are more likely to click on urgent news during a crisis, and the attackers took full advantage of this.
Further investigation by CPR researchers revealed a surprisingly long infection chain once a victim opens the file. The process starts by contacting a hacked server to pull down more data. It then uses a trick called DLL hijacking, where the malware hides inside a legitimate program, in this case, the popular Baidu NetDisk app, to secretly run the PlugX backdoor.
The malware allows hackers to steal files, record what you type, or even take pictures of your screen. It is worth noting that this specific group, known as Camaro Dragon, used a decryption key labelled 20260301@@@, and the same method was used months earlier, in late December, to target the Turkish military, researchers noted, suggesting the group simply moved its focus to Qatar when the opportunity arose.
Energy Sector Targets and the NVDA Trick
The campaign didn’t stop at military lures; attackers also targeted Qatar’s vital oil and gas industries using a password-protected file named “Strike at Gulf oil and gas facilities.zip.” This attack used low-quality, AI-generated content pretending to be from the Israeli government to deliver a brand-new loader program written in the Rust language.
This specific attack was quite clever because it hid its malicious code inside a component of NVDA, a legitimate open-source screen reader for the blind. By hijacking a trusted tool, the hackers make it much harder for security software to spot them. The final goal was to plant Cobalt Strike, a tool often used by security pros for simulating attacks, but in the wrong hands, allows hackers to map out a network for a full-scale intrusion.
According to researchers, these intrusions “highlight how rapidly China-nexus espionage actors can pivot” in response to global events. By blending into the fast-moving communications of a crisis, these hackers hope to remain unnoticed while gathering intelligence on one of the region’s most influential states.
Chinese-linked hackers are not the only actors active amid the ongoing conflict. Although the situation largely affects Iran, Iranian-linked hackers from MuddyWater were recently spotted targeting U.S. and Israeli organizations with a new malware strain dubbed DinDoor by researchers.
