China-nexus Threat Actor Targets Persian Gulf Region With PlugX
Essential information
- Published
- 16/03/2026 10:26
- Modified
- 16/03/2026 10:52
- Tags
- 2026-03-16 china-nexus destroyrat kaba korplug middle east conflict plugx sogu thoper
- Related entities
- 11 observables, 1 intrusion sets (apt), 2 malware, 3 others
Description
A China-nexus threat actor targeted countries in the Persian Gulf region using a multi-stage attack chain to deploy a PlugX backdoor variant. The campaign exploited the renewed Middle East conflict, using an Arabic-language document lure depicting missile attacks. The attack utilized a ZIP archive containing a malicious Windows shortcut file, which downloaded a CHM file leading to the deployment of PlugX. The malware employed various obfuscation techniques, including control flow flattening and mixed boolean arithmetic. The PlugX variant supported HTTPS for command-and-control communication and DNS-over-HTTPS for domain resolution. Based on the tools and tactics used, the activity is attributed to a China-nexus actor, possibly linked to Mustang Panda.