Chinese cyber threat actors have rapidly shifted their focus to target entities in Qatar following the escalation of conflict between the US/Israel and Iran. At least two separate attacks, attributed to China-nexus groups like Camaro Dragon, used conflict-related email lures to deploy malware such as PlugX and Cobalt Strike. These incidents demonstrate how quickly these espionage actors can pivot their regional targeting in response to geopolitical events, using current conflicts as bait to increase the effectiveness of their campaigns.
Chinese Nexus Actors Shift Focus to Qatar Amid Iranian Conflict
Two attacks on Qatari entities signal a shift in focus for China-backed actors and demonstrate how quickly they can pivot in response to geopolitical events.
Chinese-nexus threat actors attacked targets in Qatar in the days after the first US-Israeli strike in Iran, signalling a shift in regional strategy for China-backed advanced persistent threat (APT) groups as they pivot in response to geopolitical events.
The threat actor Camaro Dragon aimed to deploy a variant of PlugX malware against various Qatari entities using lures associated with the conflict within one day of the launch of the so-called Operation Epic Fury" offensive, Check Point Software revealed in a blog post this week. A separate attack on a Qatari target also aimed to deploy the penetration testing tool Cobalt Strike via DLL hijacking, a technique also associated with China-nexus groups.
Chinese threat actors typically don't target the Gulf region as much as other parts of the Middle East, demonstrating a shift in targeting in the wake of the current war against Iran, according to Check Point. The ongoing conflict quickly spread to other Middle Eastern countries such as Qatar, United Arab Emirates, and Bahrain, where the US has military bases against which Iran has retaliated.
"In the immediate aftermath of the escalation in the Middle East, Check Point Research observed at least two separate threat actors targeting entities in Qatar using conflict-related lures tailored to blend into the region's fast-moving communications environment," the blog post stated. "Taken together, these intrusions highlight how rapidly China-nexus espionage actors can pivot in response to geopolitical events."
Using the Iranian Conflict as Bait
Both attacks relied on content related to the Iranian conflict as lures for malicious emails, likely aiming "to blend into legitimate, fast-moving regional communications" and thus appear as legitimate, according to Check Point.
The attack attributed to Camaro Dragon delivered a malicious archive disguised as photos of attacks on American bases in Bahrain. When executed, an LNK file from the archive kicks off an "unusually long infection chain" that contacts a compromised server to retrieve the next-stage payload, according to Check Point.
Eventually the attack abused DLL hijacking of a legitimate Baidu NetDisk binary to deploy the PlugX backdoor, a modular malware associated with multiple Chinese-nexus threat actors since at least 2008. Recently, the FBI said it successfully deleted PlugX from thousands of devices globally as part of a cooperative effort; however, this recent use suggests it's still in play among threat actors.
As its name suggests, PlugX's architecture is plug-in-based, enabling remote access and a wide range of post-compromise functions, including file exfiltration, screen capture, keystroke logging, and remote command execution.
A separate campaign observed by Check Point targeted Qatari entities using a password-protected archive named "Strike at Gulf oil and gas facilities.zip" that was likely delivered via email. The archive eventually deploys Cobalt Strike as its final payload for network reconnaissance and other malicious activities, according to Check Point.
The campaign used low-quality AI-generated lures impersonating the Israeli government to deliver a previously unseen Rust-based loader that exploits DLL hijacking of nvdaHelperRemote.dll, a component of the open source screen reader NVDA.
"Abuse of this component has previously been observed in only a limited number of Chinese-nexus campaigns, including China-aligned activity associated with a campaign delivering Voldemort backdoor, as well a wave of attacks targeting the Philippines and Myanmar back in 2025," according to Check Point.
Chinese Actors Shift Focus
There has already been a flurry of cyber incidents since the US-Israel-led attack against Iran started about a week and a half ago, and security experts expect these will ramp up as conflict escalates, particularly in the US. Iran already launched a barrage of cyberattacks in the early days of the war as part of its response, and now other players with regional interests appear to be joining in on the cyber aspect of the conflict.
Indeed, the intrusions observed by Check Point highlight how quickly China-nexus actors can shift their targeting priorities and launch attacks on regions of the world that aren't typically on their radar, according to the post.
"The near-immediate focus on Qatar may reflect not only opportunistic intelligence collection tied to the regional crisis, but also a broader shift in collection priorities toward a state that sits at the intersection of several competing regional and global powers and interests," according to Check Point.
To defend against escalating cyberattacks, organizations should shore up existing security protections, including endpoint detection and response (EDR) systems, as well as ensure multifactor authentication (MFA) and other basic practices in place. To help defenders detect threat activity by China-nexus actors like Camaro Dragon and others, Check Point's blog post included indicators of compromise (IoCs) of the specific attacks on Qatari targets.
Meridiano
