China-Nexus Activity Against Qatar Observed Amid Expanding Regional Tensions

Missile Strikes in Bahrain as a Lure

On March 1st, one day after the start of the escalation in the Middle East, Check Point Research began observing targeted campaigns against entities in Qatar. The campaigns relied on conflict-related content as lures, intended to blend into legitimate, fast-moving regional communications.

In the first infection chain identified by Check Point Research, the threat actor delivered an archive disguised as photos of attacks on American bases in Bahrain.

When executed, a LNK file from the archive starts an unusually long infection chain: it contacts a compromised server to retrieve the next-stage payload, eventually abusing DLL hijacking of the legitimate Baidu NetDisk binary to deploy the PlugX backdoor.

PlugX is a modular backdoor associated with multiple Chinese-nexus threat actors since at least 2008. Its plugin-based architecture enables remote access and a wide range of post-compromise functions, including file exfiltration, screen capture, keystroke logging, and ...