China-nexus Threat Actor Targets Persian Gulf Region With PlugX

A China-nexus threat actor targeted countries in the Persian Gulf region using a multi-stage attack chain to deploy a PlugX backdoor variant. The campaign exploited the renewed Middle East conflict, using an Arabic-language document lure depicting missile attacks. The attack utilized a ZIP archive containing a malicious Windows shortcut file, which downloaded a CHM file leading to the deployment of PlugX. The malware employed various obfuscation techniques, including control flow flattening and mixed boolean arithmetic. The PlugX variant supported HTTPS for command-and-control communication and DNS-over-HTTPS for domain resolution. Based on the tools and tactics used, the activity is attributed to a China-nexus actor, possibly linked to Mustang Panda.

Pulse ID: 69b7dacde783e4b5dec19bde
Pulse Link: https://otx.alienvault.com/pulse/69b7dacde783e4b5dec19bde
Pulse Author: AlienVault
Created: 2026-03-16 10:26:21

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Arabic #BackDoor #China #CyberSecurity #DNS #HTTP #HTTPS #ICS #InfoSec #Malware #MiddleEast #OTX #OpenThreatExchange #PlugX #Windows #ZIP #bot #AlienVault