Rewterz Annual Threat Intelligence Report 2025 - Download Now

Request a Demo
Rewterz
DarkCrystal RAT aka DCRat – Active IOCs
March 10, 2026
Rewterz
AWS-LC Flaw Enables Certificate Verification Bypass
March 10, 2026

China-Nexus APT Campaign Targeting Qatar Amid Middle East Escalation – Active IOCs

Severity

High

Analysis Summary

Following the escalation of tensions in the Middle East on March 1, 2026, researchers observed targeted cyber campaigns against organizations in Qatar. The attacks used conflict-related themes as social engineering lures to blend into legitimate regional communications during a period of heightened geopolitical activity.

In the first infection chain, attackers distributed an archive disguised as photographs of attacks on American military bases in Bahrain. When opened, the archive executed a malicious LNK file that initiated a lengthy infection process. The LNK contacted a compromised server to retrieve additional payloads and ultimately abused DLL hijacking of a legitimate binary from Baidu NetDisk to deploy the well-known backdoor PlugX. PlugX is a modular malware family linked to multiple Chinese-nexus threat actors since at least 2008 and supports extensive post-compromise functionality, including remote command execution, file exfiltration, screen capture, and keystroke logging.

The analyzed PlugX sample used the configuration encryption key “qwedfgx202211” and a date-based payload decryption key, both previously observed in campaigns attributed to Camaro Dragon, which overlaps with clusters publicly tracked as Earth Preta and Mustang Panda. Researchers noted that the same delivery technique had been used in earlier attacks targeting Turkish military entities in December 2025, indicating an ongoing regional focus.

A second campaign targeting entities in Qatar used a password-protected archive titled “Strike at Gulf oil and gas facilities.zip,” likely delivered through email. This operation relied on low-quality AI-generated lures impersonating the Israeli government and delivered a previously unseen Rust-based loader that exploited DLL hijacking of the NVDA screen reader component nvdaHelperRemote.dll. The final payload in this chain was Cobalt Strike, frequently abused by threat actors for reconnaissance and post-exploitation activities.

Although attribution remains at low confidence, the tactics, infrastructure registered via Kaopu Cloud and Cloudflare, and historical tradecraft strongly suggest China-aligned threat activity. Researchers assess that the campaigns reflect how quickly Chinese-nexus espionage actors can shift targeting priorities in response to geopolitical developments. The rapid focus on Qatar highlights the country’s strategic significance in the Gulf region and suggests increased intelligence collection efforts related to ongoing regional instability.

Impact

  • Unauthorized Access
  • Data Exfiltration
  • Command Execution
  • Lateral Movement

Indicators of Compromise

Domain Name

  • almersalstore.com

IP

  • 185.219.220.73

  • 91.193.17.117

MD5

  • 4e8f302b2a17c3cc64b866acb18424e1
  • 7c1a801cb5ca5b3fca96901eabd52dbf
  • eb27bbc29b36ae9c66970654925d8c3b
  • f72810d1c8dfd364820ef3d06f6568f8
  • 2090db51c5ecd85a553b14ee55f04d34
  • 0456842d1af5760356e52db387f8897f

SHA-256

  • 4d8027424b5bcd167ab70c8320ce3c5df72a9ecca01246b095e4af498f77725d
  • fff7864019b651bea2448228d6557d995edc929276bb9d8cb34c3c280a42684e
  • fa3a1153018ac1e1a35a65e445a2bad33eac582c225cf6c38d0886802481cd43
  • a7c56033f2264c71b0485da693e3f627b2b5ccfe3399a53cc558be77f95d9c13
  • 26d10996fd2880441445539cd8a6e7fe0777f6ca3352dae6ef84d1d747aabb0c
  • a9de383c6a1b00c9bd5a09ef87440d72ec7fc4bcd781207b3cace2f246788d4d

SHA1

  • 24088b69f108dad5ca7c099887f3f506a6c1a609
  • 40c972a1413cf9a842da0e448e4f84659aa5512f
  • e3dc5ef72a9d08790f2f21726fa270b77dea3803
  • 4890faf5e5a837aa1c42025575b0ab55022fb2b9
  • 85c0ea845202eec3a4149e9afa8c593f48882633
  • 60344a3a5ad950450cd798f585571d29f13f2dbb

Remediation

  • Block all identified indicators of compromise across firewalls, web gateways, email filters, and endpoint security tools to prevent further interaction with malicious infrastructure.
  • Conduct proactive threat hunting in SIEM and EDR platforms to identify traces of PlugX activity, suspicious LNK execution, or unauthorized use of Cobalt Strike.
  • Implement strong email security filtering to detect and block malicious archives, phishing emails, and conflict-themed lure documents.
  • Restrict execution of LNK files and unknown archives from untrusted sources to prevent initial infection chains.
  • Monitor for abnormal DLL loading behavior to detect potential DLL hijacking attempts.
  • Enforce application allowlisting to ensure only trusted and approved software can execute on endpoints.
  • Enable multi-factor authentication (MFA) for critical accounts to reduce the risk of unauthorized access.
  • Monitor network traffic for unusual outbound connections that may indicate command-and-control communication.
  • Segment networks to limit lateral movement and restrict access between sensitive systems and operational environments.
  • Ensure operating systems and software are regularly updated with the latest security patches.
  • Deploy and maintain updated antivirus and endpoint detection solutions capable of identifying backdoors and remote access tools.
  • Train employees to recognize social engineering tactics, including phishing lures related to geopolitical events.
  • Maintain centralized logging and correlation through SIEM platforms to detect suspicious patterns across systems.
  • Regularly back up critical data and ensure backups are securely stored and tested for recovery.
  • Develop and periodically test an incident response plan to enable rapid containment and remediation of potential intrusions.