China-nexus Threat Actor Targets Persian Gulf Region With PlugX

MITRE Techniques

• [T1587.001 ] Develop Capabilities: Malware – The actor developed custom PlugX loaders. (‘The threat actor developed custom PlugX loaders.’)
• [T1588.001 ] Resource Development: Obtain Capabilities, Malware – Use of the PlugX backdoor, commonly used by China-nexus actors. (‘The threat actor used the PlugX backdoor, a known backdoor commonly used by China-nexus threat actors.’)
• [T1608.001 ] Resource Development: Stage Capabilities: Upload Malware – Staged a malicious CHM on a threat-actor controlled server for delivery. (‘The threat actor staged a malicious CHM file on a threat actor-controlled server.’)
• [T1566 ] Initial Access: Phishing – Phished users with an archive containing a lure about Iranian missile strikes. (‘phished users in the GCC region with an archive containing a lure referencing Iranian missile strikes against a US base in Bahrain.’)
• [T1204.002 ] Execution: User Execution: Malicious File – Execution initiated when victim opened photo_2026-03-01_01-20-48.pdf.lnk. (‘the attack chain is initiated when a victim opens a malicious LNK file named photo_2026-03-01_01-20-48.pdf.lnk’)
• [T1059.003 ] Execution: Command and Scripting Interpreter: Windows Command Shell – LNK target uses cURL to download the CHM and extracts it. (‘The LNK’s target command line uses cURL to download a malicious CHM file…’)
• [T1106 ] Execution: Native API – Loader calls VirtualAlloc and SystemFunction033 (RC4) for shellcode decryption and memory allocation. (‘ShellFolderDepend.dll calls VirtualAlloc for shellcode and SystemFunction033 for RC4 decryption.’)
• [T1547.001 ] Persistence: Registry Run Keys / Startup Folder – ShellFolderDepend.dll adds a Run key (BaiNetdisk) to persist ShellFolder.exe. (‘the DLL uses reg.exe to set a Run entry… BaiNetdisk’)
• [T1543.003 ] Persistence: Create or Modify System Process: Windows Service – PlugX configured to run as “Microsoft Desktop Dialog Broker” service. (‘The PlugX backdoor payload is configured to operate as a Windows service (“Microsoft Desktop Dialog Broker”).’)
• [T1548.002 ] Privilege Escalation: Abuse Elevation Control Mechanism: Bypass User Account Control – PlugX contains code to abuse Fodhelper UAC bypass techniques. (‘PlugX contains code to abuse the Fodhelper UAC bypass technique to gain elevated privileges.’)
• [T1036.007 ] Defense Evasion: Masquerading: Double File Extension – Shortcut named to appear as a PDF (.pdf.lnk). (‘The shortcut file was named photo_2026-03-01_01-20-48.pdf.lnk to appear as a benign PDF.’)
• [T1036.005 ] Defense Evasion: Masquerading: Match Legitimate Resource Name or Location – Components extracted into %AppData%BaiduNetdisk to mimic legitimate app. (‘The malicious LNK extracts components into %AppData%BaiduNetdisk to mimic a legitimate cloud storage application.’)
• [T1140 ] Defense Evasion: Deobfuscate/Decode Files or Information – Shellcode and components decrypt and decompress payloads in multiple stages (RC4, XOR, LZNT1). (‘Decrypts shellcode using RC4, decrypts API names via XOR, decompresses payloads using LZNT1, and decrypts configurations in multiple stages.’)
• [T1036.004 ] Defense Evasion: Masquerade Task or Service – Malicious service names mimic legitimate Microsoft services. (‘PlugX uses service names like “Microsoft Desktop Dialog Broker” to mimic legitimate Microsoft services.’)
• [T1218.001 ] Defense Evasion: System Binary Proxy Execution: Compiled HTML File – Used hh.exe to extract CHM contents and conceal components. (‘The hh.exe file was used to conceal malicious components.’)
• [T1620 ] Defense Evasion: Reflective Code Loading – PlugX DLL loaded reflectively into memory without writing to disk. (‘Loads the PlugX DLL directly into memory without writing it to disk.’)
• [T1574.001 ] Defense Evasion: Hijack Execution Flow: DLL – DLL sideloading used to load ShellFolderDepend.dll via ShellFolder.exe. (‘Uses DLL sideloading to load ShellFolderDepend.dll via ShellFolder.exe.’)
• [T1027 ] Defense Evasion: Obfuscated Files or Information – Extensive obfuscation used, including CFF and MBA across components. (‘The malware used in this attack utilized various code obfuscation techniques like CFF and MBA.’)
• [T1027.002 ] Defense Evasion: Software Packing – Shellcode functions as a packer, decrypting and decompressing the backdoor at runtime. (‘The shellcode acts as a packer, decrypting and decompressing the final backdoor at runtime.’)
• [T1027.007 ] Defense Evasion: Dynamic API Resolution – API names stored encrypted and resolved at runtime via XOR routines. (‘All API names are stored encrypted in the shellcode and are decrypted at runtime using an index-based XOR decryption algorithm.’)
• [T1027.009 ] Defense Evasion: Embedded Payloads – Final backdoor embedded within shellcode; CHM contained embedded TAR with components. (‘The final backdoor is embedded in shellcode. The CHM file contains an embedded TAR archive with malicious components.’)
• [T1027.013 ] Defense Evasion: Encrypted/Encoded File – RC4 and custom PRNG algorithms used to encrypt shellcode, configs, and files. (‘The malwares used in this attack utilized RC4 and custom PRNG algorithms to encrypt files, shellcode, and configurations.’)
• [T1027.015 ] Defense Evasion: Compression – Uses LZNT1 (RtlDecompressBuffer) to decompress the next-stage payload. (‘The loader uses LZNT1 compression for the next-stage payload.’)
• [T1027.016 ] Defense Evasion: Junk Code Insertion – MBA and junk operations inserted to obscure logic. (‘The malware used MBA, inserting useless junk operations to obscure program logic.’)
• [T1082 ] Discovery: System Information Discovery – PlugX supports a System Fingerprint command to gather OS and hardware details. (‘PlugX supports a System Fingerprint command to gather operating system and hardware details.’)
• [T1518.001 ] Discovery: Software Discovery: Security Software Discovery – Loader checks for Bitdefender Agent (bdagent.exe) to choose persistence method. (‘Specifically checks for the presence of Bitdefender Agent (bdagent.exe).’)
• [T1083 ] Discovery: File and Directory Discovery – Searches for files with targeted extensions and includes a Disk plugin. (‘Searches for specific extensions (*.doc*, *.pdf*, etc.) and uses a Disk plugin.’)
• [T1071.001 ] Command and Control: Application Layer Protocol: Web Protocols – PlugX uses HTTPS for C2 communication on port 443. (‘PlugX establishes C2 communication via HTTPS on port 443.’)
• [T1572 ] Command and Control: Protocol Tunneling – Supports DNS-over-HTTPS (DOH) for domain resolution using dns.google. (‘DOH for domain resolution using https://dns.google/dns-query’)
• [T1090.001 ] Command and Control: Proxy: Internal Proxy – PlugX can proxy/relay C2 traffic between instances (Command ID 10). (‘PlugX has the capability to relay C2 traffic between PlugX instances (Command ID 10).’)
• [T1573.001 ] Command and Control: Encrypted Channel: Symmetric Cryptography – Uses RC4 with static key to encrypt C2 traffic. (‘PlugX uses RC4 with a static key (VD*1^N1OCLtAGM$U) to encrypt C2 traffic.’)
• [T1573.002 ] Command and Control: Encrypted Channel: Asymmetric Cryptography – Components use SSL/TLS within HTTPS for secure exchange. (‘Various components in the attack chain use SSL/TLS within HTTPS for secure key exchange.’)
• [T1095 ] Command and Control: Non-Application Layer Protocol – PlugX supports TCP and UDP for C2 communications. (‘PlugX supports TCP and UDP for C2 communications.’)
• [T1105 ] Command and Control: Ingress Tool Transfer – LNK uses cURL to download the malicious CHM from a remote URL. (‘The LNK file uses cURL to download a malicious CHM file from a remote URL.’)