China-Linked Hackers Hit Qatar with Backdoor Disguised as War News

The surge of cyber activity against Qatar coincides with heightened Middle‑East tensions, illustrating how state‑linked threat actors exploit real‑time crises to increase phishing success. Check Point Research identified a wave that began on 1 March, just after Operation Epic Fury, where attackers distributed files masquerading as urgent war‑zone photographs. By embedding malicious payloads in seemingly legitimate news assets, the groups leveraged the psychological pressure of conflict, a tactic that has become common among Chinese‑affiliated cyber espionage units seeking quick access to high‑value targets.

The technical chain starts with a ZIP or LNK lure that contacts a compromised server, then employs DLL hijacking against Baidu NetDisk to load the PlugX backdoor. PlugX provides file exfiltration, keylogging, and screen capture capabilities. A second vector targets Qatar’s oil and gas sector, using a password‑protected ZIP that drops a Rust‑written loader hidden inside the open‑source NVDA screen reader. The loader ultimately delivers Cobalt Strike, giving attackers full command‑and‑control and network‑mapping functions that are difficult for traditional AV solutions to detect.

These operations underline the strategic importance of Qatar’s energy infrastructure and the broader risk to regional supply chains. Organizations must adopt threat‑intelligence‑driven email filtering, enforce strict application whitelisting, and monitor for anomalous DLL loading patterns. The rapid pivot from Turkish military targets to Qatari civilian sectors demonstrates the agility of China‑linked espionage groups, prompting governments and enterprises to reassess incident‑response playbooks for crisis‑driven phishing campaigns.