ThreatLabz identified a China-nexus threat actor (likely Mustang Panda) targeting Persian Gulf countries in March 2026, exploiting Middle East conflict themes as social engineering lures. The campaign delivered a PlugX backdoor via a multi-stage chain: a ZIP containing an LNK file that downloads a CHM dropper, which extracts a TAR archive, uses DLL sideloading to load a shellcode loader, and ultimately reflectively injects a PlugX variant. The shellcode and backdoor employ heavy obfuscation including control flow flattening (CFF) and mixed boolean arithmetic (MBA). The PlugX variant supports HTTPS C2, DNS-over-HTTPS for domain resolution, RC4-encrypted traffic, and multiple plugins (keylogger, screen capture, shell, etc.). Attribution is based on shared RC4 keys with the DOPLUGS campaign, identical CFF patterns, and rapid geopolitical lure weaponization consistent with Mustang Panda TTPs.
Sort: