Missile Strikes in Bahrain as a Lure
On March 1st, one day after the start of the escalation in the Middle East, Check Point Research began observing targeted campaigns against entities in Qatar. The campaigns relied on conflict-related content as lures, intended to blend into legitimate, fast-moving regional communications.
In the first infection chain identified by Check Point Research, the threat actor delivered an archive disguised as photos of attacks on American bases in Bahrain.
When executed, a LNK file from the archive starts an unusually long infection chain: it contacts a compromised server to retrieve the next-stage payload, eventually abusing DLL hijacking of the legitimate Baidu NetDisk binary to deploy the PlugX backdoor.
PlugX is a modular backdoor associated with multiple Chinese-nexus threat actors since at least 2008. Its plugin-based architecture enables remote access and a wide range of post-compromise functions, including file exfiltration, screen capture, keystroke logging, and remote command execution.
The PlugX sample uses the configuration encryption key qwedfgx202211 together with a date-formatted payload decryption key (20260301@@@ in this instance), both of which have been observed in prior campaigns attributed to Camaro Dragon, the China-nexus APT overlapping with clusters publicly reported as Earth Preta and Mustang Panda.
It is worth noting that this infection vector was not unique to the Qatar campaign. Check Point Research observed the same delivery method several months earlier, in late December, in attacks against Turkish military targets. This consistency suggests that the cluster maintains a broader Middle East targeting focus, with operations now shifting toward entities in Qatar as the current regional environment creates new targeting opportunities.
Strike at Gulf Oil and Gas Facilities as a Lure
In a separate campaign, Check Point Research observed another attack presumably targeting Qatar and using a password-protected archive named Strike at Gulf oil and gas facilities.zip, likely delivered via email. The campaign employed low-quality AI-generated lures impersonating the Israeli government to deliver a previously unseen Rust-based loader. This loader exploits DLL hijacking of nvdaHelperRemote.dll, a component of the open-source screen reader NVDA. Abuse of this component has previously been observed in only a limited number of Chinese-nexus campaigns, including China-aligned activity associated with a campaign delivering Voldemort backdoor, as well a wave of attacks targeting the Philippines and Myanmar back in 2025.
The final payload deployed in this operation was Cobalt Strike, a well-known penetration testing framework that is often repurposed for malicious activity.
Threat actors frequently use it as an initial-stage payload to perform rapid reconnaissance on newly compromised systems and networks, allowing them to assess the environment and determine whether deeper full-on intrusion activity is justified.
With low confidence, this attack is assessed as China-aligned. The use of DLL hijacking using NVDA components, Cobalt Strike, and C2 infrastructure registered via Kaopu Cloud and Cloudflare matches TTPs previously associated with Chinese threat actors, while the attack timestamps provide additional supporting context.
Outlook: Chinese Nexus Actors Shift its Focus in the Middle East
The Gulf region has not been as prominently featured in public reporting on China-nexus activity as some other parts of the broader Middle East. However, the activity observed in these campaigns suggests that major regional developments can quickly reshape priorities. In the immediate aftermath of the escalation in the Middle East, Check Point Research observed at least two separate threat actors targeting entities in Qatar using conflict-related lures tailored to blend into the region’s fast-moving communications environment. Taken together, these intrusions highlight how rapidly China-nexus espionage actors can pivot in response to geopolitical events. The near-immediate focus on Qatar may reflect not only opportunistic intelligence collection tied to the regional crisis, but also a broader shift in collection priorities toward a state that sits at the intersection of several competing regional and global powers and interests.
