ThreatLabz uncovered a rapid March 1, 2026 campaign by a China-nexus actor that weaponized renewed Middle East conflict to deliver Arabic-language missile-attack lures and multi‑stage Windows LNK/CHM droppers. The operation deploys an evolved PlugX backdoor using advanced CFF and MBA obfuscation with HTTPS and DoH communications and bears technical fingerprints linking it to Mustang Panda. #PlugX #MustangPanda
Keypoints
- Campaign launched within 24 hours of renewed Middle East conflict, targeting Persian Gulf countries.
- Attackers used Arabic-language document lures depicting missile attacks for timely social engineering.
- Initial infection relied on Windows LNK or CHM droppers that deliver heavily obfuscated shellcode.
- The PlugX variant incorporates Control Flow Flattening and Mixed Boolean Arithmetic and uses HTTPS and DNS-over-HTTPS for stealthy C2.
- ThreatLabz attributes the campaign to Mustang Panda based on CFF implementation, decryption routines, and rapid geopolitical lure patterns; organizations should validate document origins and monitor for obfuscation.
Read More: https://securityonline.info/weaponizing-conflict-mustang-panda-rapid-plugx-campaign-middle-east/