Chinese APT Campaign Targets Qatar With PlugX Lures Tied to Middle East Conflict

One day after fresh hostilities broke out in the Middle East on March 1, 2026, Camaro Dragon, an advanced persistent threat group with ties to China, began a targeted cyberespionage campaign against organizations in Qatar. The group tricked recipients into opening malicious files that silently installed the PlugX backdoor on their computers by using war-themed lure documents that appeared to be urgent, real-world communications connected to Operation Epic Fury. This campaign's timing was remarkable.

The threat actors had prepared and implemented well-crafted phishing archives that imitated authentic conflict-related content within 24 hours of the regional escalation, blending in with the deluge of communications that circulated during significant geopolitical events.

This speed demonstrates how quickly Chinese-nexus APT groups can change course when something noteworthy happens, using breaking news as a weapon. It is highly recommended that security teams keep an eye out for DLL hijacking involving trusted third-party applications, block known malicious indicators like IPs 185.219.220.73 and 91.193.17.117 and the domain almersalstore[. ]com, and update endpoint detection tools to identify Cobalt Strike beacon activity and PlugX variants on their networks.

Set ZeroOwl as a Preferred Source in Google to Receive More Instant Updates from LinkedIn and X.