China-nexus Threat Actor Targets Persian Gulf Region With PlugX

    Monday, March 16, 2026 In: Threat Research Print

    Date: 03/16/2026

    Severity: High

    Summary

    In March 2026, the team identified activity by a China-nexus threat actor targeting countries in the Persian Gulf region. The campaign used a multi-stage attack chain to deploy a PlugX backdoor variant on compromised systems. Both the shellcode and PlugX backdoor employed obfuscation techniques to hinder reverse engineering. These techniques included control flow flattening (CFF) and mixed boolean arithmetic (MBA). The PlugX variant also supports HTTPS for C2 communication and DNS-over-HTTPS (DoH) for domain resolution.

    Indicators of Compromise (IOC) List

    Domains\URLs :

    https://www.360printsol.com/2026/alfadhalah/thumbnail?img=index.png

    IP Address : 

    91.193.17.117

    Hash : 

    20eb9f216a1177ee539a012e6301a93e

    43c36b06573aeadabb55fd46c55a68c41a16ecc7

    733a0a0ead4fc38173d7e30c7f2e14442ede32507e8adcbb8d3bd719fd2079d0

    Eb27bbc29b36ae9c66970654925d8c3b

    E3dc5ef72a9d08790f2f21726fa270b77dea3803

    fa3a1153018ac1e1a35a65e445a2bad33eac582c225cf6c38d0886802481cd43

    B92e4615bb8026a593f0a72451285140

    E15c3ff555a30dff5b66333492eed43e07ec72a1

    10df3c46624c416f44764d7903b8079bc797c967284afc5bc333eeba0fdbba18

    Da91acba97f7d2935149d80142df8ec9

    Ec955e2b6874159c63578d6bb85fe67117d45508

    e50a4069e173256498e9e801b8f0dcda5a217290869300055ad8a854d4ea210c

    A158f22a6bf5e3678a499c3a2b039b16

    A5e42ac01e59d61c582e696edfde76452e35a43c

    5adae26409c6576f95270ce9ca3877df3ee60849c18540fd92c0c9c974ba2f6d

    4f6ea828ab0456539cf7d79af90acf87

    31817d5baa9cc6ff22c172652ef312b7300c18a2

    c78eb1cecef5f865b6d150adcf67fa5712c5a16b94f1618c32191e61fbe69590

    Bf298f5b0ea62640f538922b32b8c3ed

    2d70a3f331278b490361d3f7274082f69184209d

    1ddbed0328a60bb4f725b4ef798d5d14f29c04f7ffe9a7a6940cacb557119a1c

    93a98995ebfd672793b3413606211fa3

    537044b0c8930522aa1bbbf6220077b36abcdf54

    014192c07267294116115d867b1dd48d851f0fa4c011cd96e4c5a5f81a6d1de3

    43622a9b16021a5fb053e89ea5cb2c4c

    Bdf4b77508c9295a2e70736ee6d689722f67802e

    ef7a813124fd19d11bb5d944cb95779f5fe09ff5a18c26399002759d4b0d66e7

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "https://www.360printsol.com/2026/alfadhalah/thumbnail?img=index.png" or url like "https://www.360printsol.com/2026/alfadhalah/thumbnail?img=index.png" or siteurl like "https://www.360printsol.com/2026/alfadhalah/thumbnail?img=index.png"

    Detection Query 2 :

    dstipaddress IN ("91.193.17.117") or srcipaddress IN ("91.193.17.117")

    Detection Query 3 :

    md5hash IN ("Eb27bbc29b36ae9c66970654925d8c3b","20eb9f216a1177ee539a012e6301a93e","B92e4615bb8026a593f0a72451285140","Da91acba97f7d2935149d80142df8ec9","A158f22a6bf5e3678a499c3a2b039b16","4f6ea828ab0456539cf7d79af90acf87","Bf298f5b0ea62640f538922b32b8c3ed","93a98995ebfd672793b3413606211fa3","43622a9b16021a5fb053e89ea5cb2c4c")

    Detection Query 4 :

    sha1hash IN ("43c36b06573aeadabb55fd46c55a68c41a16ecc7","E3dc5ef72a9d08790f2f21726fa270b77dea3803",E15c3ff555a30dff5b66333492eed43e07ec72a1","Ec955e2b6874159c63578d6bb85fe67117d45508","A5e42ac01e59d61c582e696edfde76452e35a43c","31817d5baa9cc6ff22c172652ef312b7300c18a2","2d70a3f331278b490361d3f7274082f69184209d","537044b0c8930522aa1bbbf6220077b36abcdf54","Bdf4b77508c9295a2e70736ee6d689722f67802e")

    Detection Query 5 :

    sha256hash IN ("fa3a1153018ac1e1a35a65e445a2bad33eac582c225cf6c38d0886802481cd43","733a0a0ead4fc38173d7e30c7f2e14442ede32507e8adcbb8d3bd719fd2079d0","10df3c46624c416f44764d7903b8079bc797c967284afc5bc333eeba0fdbba18","e50a4069e173256498e9e801b8f0dcda5a217290869300055ad8a854d4ea210c","5adae26409c6576f95270ce9ca3877df3ee60849c18540fd92c0c9c974ba2f6d","c78eb1cecef5f865b6d150adcf67fa5712c5a16b94f1618c32191e61fbe69590","1ddbed0328a60bb4f725b4ef798d5d14f29c04f7ffe9a7a6940cacb557119a1c","014192c07267294116115d867b1dd48d851f0fa4c011cd96e4c5a5f81a6d1de3","ef7a813124fd19d11bb5d944cb95779f5fe09ff5a18c26399002759d4b0d66e7")

    Reference:     

    https://www.zscaler.com/blogs/security-research/china-nexus-threat-actor-targets-persian-gulf-region-plugx#introduction 


    Tags

    MalwareThreat ActorChina-NexusPlugXBackdoorGulf

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.