Chinese-nexus advanced persistent threat (APT) groups initiated campaigns targeting organizations in Qatar in the days following the first US-Israeli military operations in Iran. This activity signals a shift in regional strategy for these state-backed groups as they adjust their operations in response to geopolitical events.
Within one day of the start of the "Operation Epic Fury" offensive, the threat actor known as Camaro Dragon attempted to deploy a variant of the PlugX malware against various Qatari entities. According to a recent report by Check Point Software, these campaigns utilized deceptive communications associated with the conflict. A separate campaign directed at a Qatari target sought to deploy the Cobalt Strike security testing framework via dynamic link library (DLL) hijacking, a methodology frequently associated with China-nexus groups.
Historically, Chinese threat actors have not focused on the Gulf region as heavily as other areas of the Middle East. This recent activity indicates a shift in intelligence gathering following the broader regional conflict, which quickly spread to countries such as Qatar, the United Arab Emirates, and Bahrain, where the US maintains military facilities.
Check Point researchers noted that in the immediate aftermath of the regional escalation, at least two separate threat actors targeted entities in Qatar. These campaigns used conflict-related lures specifically tailored to blend into the region's fast-moving communications environment, demonstrating how rapidly China-nexus espionage actors can pivot their operations during geopolitical events.
Aligning communications with regional events
Both observed campaigns relied on content related to the Iranian conflict as lures within deceptive emails. By matching the tone and topic of legitimate, fast-moving regional communications, the unauthorized emails were designed to appear credible to the recipients.
The campaign attributed to Camaro Dragon delivered an archive disguised as photographs of military activity near American bases in Bahrain. When executed, an LNK file within the archive initiated an extended execution sequence. This sequence contacted a compromised server to retrieve the next-stage component, ultimately utilizing DLL hijacking of a legitimate Baidu NetDisk binary to deploy the PlugX backdoor.
PlugX is a modular malware family associated with multiple Chinese-nexus threat actors since at least 2008. Its architecture relies on plugins to enable remote access and a wide range of post-compromise functions, including file exfiltration, screen capture, keystroke logging, and remote command execution. While the FBI recently coordinated a global effort to remove PlugX from thousands of devices, this recent campaign confirms the tool remains active among threat actors.
A separate campaign documented by Check Point targeted Qatari entities using a password-protected archive named "Strike at Gulf oil and gas facilities.zip," likely delivered via email. This campaign used low-quality AI-generated lures impersonating the Israeli government to deliver a previously unseen Rust-based loader.
This loader utilized DLL hijacking of nvdaHelperRemote.dll, a component of the open-source screen reader NVDA. Abuse of this specific component has historically been limited to a small number of Chinese-nexus campaigns, including activity aligned with the Voldemort backdoor and a series of operations targeting the Philippines and Myanmar in 2025. The archive ultimately deploys Cobalt Strike as its final component to help network reconnaissance and further unauthorized activity.
Strategic shifts and protective measures
Security experts anticipate unauthorized cyber activity will increase as the geopolitical conflict continues. Pro-Iranian actors initiated a surge in cyber incidents during the early days of the conflict, and other groups with regional interests are now participating in the digital aspects of the event.
The intrusions analyzed by Check Point demonstrate how quickly China-nexus actors can shift their priorities toward regions that are not typically their primary focus. The immediate attention on Qatar likely reflects opportunistic intelligence collection tied to the crisis, as well as a broader shift in priorities toward a state positioned at the intersection of competing global interests.
To protect against these escalating threats, security teams should verify and reinforce their existing controls. Organizations are encouraged to ensure that endpoint detection and response (EDR) systems are fully deployed and actively monitored, and that multifactor authentication (MFA) is strictly enforced across all access points. To assist defenders in identifying activity related to Camaro Dragon and similar groups, Check Point has published specific indicators of compromise (IoCs) associated with the recent campaigns in Qatar, which security teams can integrate into their detection workflows.