Researchers have observed a sharp increase in Chinese-nexus APT operations rapidly pivoting to exploit regional instability, with a clear near-immediate focus on Qatar following recent escalations. Notably, Camaro Dragon launched Operation Epic Fury deploying a PlugX variant via ZIP→LNK→DLL hijack and a separate campaign used a Rust-based loader to hijack nvdaHelperRemote.dll and deliver Cobalt Strike. #CamaroDragon #PlugX
Keypoints
- Chinese-nexus APTs have sharply increased activity targeting Qatar after regional conflict escalations.
- Camaro Dragon (also linked to Earth Preta and Mustang Panda) deployed a PlugX variant one day after Operation Epic Fury began.
- Initial infections used ZIP archives with malicious LNK files that download next-stage payloads from compromised servers.
- A separate campaign used a Rust-based loader to exploit nvdaHelperRemote.dll and deliver Cobalt Strike for post-exploitation.
- TTPs and C2 infrastructure indicate China-aligned patterns and a broader, sustained focus on Middle East targets.