A recent investigation by Check Point Research has uncovered a surge in cyberattacks targeting Qatar, orchestrated by China-linked threat actors such as the Camaro Dragon group. These campaigns are cleverly disguised as breaking news related to escalating tensions in the Middle East, allowing attackers to lure unsuspecting victims.
The attacks began on March 1, 2026, immediately following the launch of Operation Epic Fury. This timing highlights how quickly cyber espionage groups adapt to global developments, weaponizing real-time events to enhance the credibility of their phishing attempts.
Researchers observed that hackers distributed malicious files masquerading as urgent news updates. One such file was labeled “The destruction caused by an Iranian missile strike around the US base in Bahrain.” By leveraging heightened public interest during crises, attackers significantly increased the likelihood of user interaction.
Once opened, the file initiates a complex infection chain. It connects to a compromised server to retrieve additional payloads and employs DLL hijacking techniques to embed malware within legitimate software. In this case, attackers used the trusted Baidu NetDisk application to secretly deploy the PlugX backdoor.
This malware enables attackers to steal sensitive files, log keystrokes, and capture screenshots. Investigators also found that the campaign used a decryption key labeled “20260301@@@,” linking it to earlier operations targeting Turkey’s military in late December—indicating a shift in focus rather than entirely new tactics.
Beyond military-themed lures, attackers also targeted Qatar’s critical oil and gas infrastructure. A password-protected archive titled “Strike at Gulf oil and gas facilities.zip” was used to deliver malicious payloads. The content inside reportedly included low-quality, AI-generated material impersonating official Israeli sources to appear legitimate.
In a sophisticated twist, the attackers concealed malicious code within components of NVDA, a widely trusted accessibility tool. This approach helps evade detection by security systems.
The ultimate objective was to deploy Cobalt Strike—a legitimate tool often used by cybersecurity professionals, but frequently abused by threat actors to map networks and facilitate deeper intrusions.
According to researchers, these intrusions “highlight how rapidly China-nexus espionage actors can pivot” in response to global developments. By blending malicious activity with fast-moving crisis communications, attackers aim to operate undetected while collecting strategic intelligence.
China-linked groups are not the only actors exploiting the current geopolitical climate. Another hacking group, MuddyWater, has also been observed targeting U.S. and Israeli entities using a newly identified malware strain known as DinDoor, further intensifying the cyber threat environment surrounding the conflict.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: