China-Linked Hackers Hit Qatar with Backdoor Disguised as War News

Key Points:

• China-linked hackers, specifically the Camaro Dragon group, are targeting Qatar using malware disguised as news about regional conflicts.
• The attacks primarily affect Qatar's energy and military sectors, leveraging social engineering tactics to increase the likelihood of user engagement with malicious files.
• Recommended actions include monitoring for suspicious file downloads, implementing robust email filtering, and educating users about the risks of clicking on unexpected news-related content.

Technical Details: The attackers utilize PlugX and Cobalt Strike malware, employing DLL hijacking techniques to hide malicious payloads within legitimate applications like Baidu NetDisk. The campaign began on March 1, 2026, coinciding with heightened regional tensions.

MITRE ATT&CK Techniques:

• T1566.001 - Phishing: Spearphishing Attachment (Initial Access)
• T1071.001 - Application Layer Protocol: Web Protocols (Command and Control)
• T1203 - User Execution (Execution)
• T1218.011 - Signed Binary Proxy Execution: DLL Search Order Hijacking (Execution)

IOCs Mentioned:

• File names: "The destruction caused by an Iranian missile strike around the US base in Bahrain", "Strike at Gulf oil and gas facilities.zip"
• Malware families: PlugX, Cobalt Strike