Skip to content
.ca
sign in
6 minhigh

Middle East Conflict Fuels Cyber Attacks | ThreatLabz

Threat actors are capitalizing on Middle East geopolitical tensions using over 8,000 newly registered domains to launch opportunistic cyber attacks. Campaigns include Mustang Panda deploying the LOTUSLITE backdoor via DLL sideloading, fake news sites distributing StealC malware, and various phishing/scam operations exhibiting Persian-language artifacts.

Sens:ImmediateConf:highAnalyzed:2026-03-06reports

Authors: THREATLABZ

ActorsMustang PandaLOTUSLITEStealCIran-aligned threat actors
Mustang PandaDLL SideloadingStealCMiddle EastLOTUSLITE

Source:Zscaler ThreatLabz

IOCs · 5

Key Takeaways

  • Threat actors are leveraging the Middle East conflict to distribute malware and conduct scams, registering over 8,000 themed domains.
  • Mustang Panda is utilizing conflict-themed lures to deploy the LOTUSLITE backdoor via DLL sideloading.
  • Fake news blogs are actively distributing StealC malware through password-protected ZIP archives.
  • Persian-language comments were found in the source code of fake US SSA and Israeli toll payment phishing sites, suggesting potential Iran-aligned operators.
  • Attackers are abusing legitimate tools like PDQConnect RMM and BaiduNetdisk/KuGou executables for persistence and execution.

Affected Systems

  • Windows OS
  • US Social Security Administration (SSA) users
  • Israeli Kvish 6 toll users

Attack Chain

Attackers use conflict-themed lures, such as ZIP archives containing malicious LNK files or renamed legitimate executables, to initiate the infection. These initial vectors download or extract secondary payloads, often employing DLL sideloading via vulnerable legitimate applications (e.g., BaiduNetdisk, KuGou). The sideloaded DLLs establish persistence via Registry Run keys, decrypt embedded shellcode, and download final-stage malware like the LOTUSLITE backdoor or StealC. In parallel, phishing and scam sites harvest credentials, financial data, or deploy legitimate RMM tools for unauthorized access.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

The article does not provide specific detection rules, but outlines behavioral indicators, file paths, and network IOCs suitable for custom rule creation.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions can readily detect DLL sideloading, anomalous child processes from LNK files, and registry run key modifications. Network Visibility: Medium — Network monitoring can catch connections to known malicious domains and C2 IPs, but HTTPS/TLS encryption may obscure payload downloads without SSL inspection. Detection Difficulty: Moderate — While DLL sideloading uses legitimate signed binaries to bypass basic AV, the specific file paths, registry keys, and network connections provide solid detection opportunities.

Required Log Sources

  • Sysmon Event ID 1 (Process Creation)
  • Sysmon Event ID 7 (Image Loaded)
  • Sysmon Event ID 11 (File Create)
  • Sysmon Event ID 12 (Registry Event)
  • Sysmon Event ID 13 (Registry Event)

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Look for legitimate executables (like KuGou or BaiduNetdisk components) executing from unusual directories such as C:\ProgramData\CClipboardCm\ or %AppData% and loading unsigned DLLs.EDR process and image load events (Sysmon Event ID 1, 7).ExecutionLow
Search for registry modifications to HKCU\Software\Microsoft\Windows\CurrentVersion\Run containing suspicious values like 'BaiNetdisk', 'ACboardCm', or 'ASEdge'.EDR registry events (Sysmon Event ID 12, 13).PersistenceLow
Monitor for the execution of reg.exe adding Run keys via command line, especially when initiated by unusual parent processes or from binaries in C:\ProgramData.EDR process creation events (Sysmon Event ID 1).PersistenceMedium

Control Gaps

  • Lack of SSL/TLS inspection allowing encrypted payload downloads.
  • Permissive execution policies allowing binaries to run from C:\ProgramData.

Key Behavioral Indicators

  • Execution of WebFeatures.exe with '-Edge' argument.
  • Creation of C:\ProgramData\CClipboardCm\ directory.
  • LNK files executing hh.exe with '-decompile'.

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Block access to the identified C2 IP (172.81.60.97) and malicious domains.
  • Search endpoints for the presence of C:\ProgramData\CClipboardCm\ and C:\ProgramData\WebFeatures\ directories.
  • Isolate any systems found communicating with the known IOCs or hosting the malicious DLLs.

Infrastructure Hardening

  • Implement inline traffic inspection with SSL decryption to block malicious downloads.
  • Restrict execution of binaries from user-writable directories like C:\ProgramData\ and %AppData% using AppLocker or WDAC.

User Protection

  • Deploy EDR solutions configured to detect and block DLL sideloading and suspicious registry modifications.
  • Enforce Multi-Factor Authentication (MFA) to prevent unauthorized access from stolen credentials.

Security Awareness

  • Train employees to recognize phishing lures related to geopolitical events and breaking news.
  • Educate users on the risks of opening unexpected ZIP or LNK files, even if they appear to contain PDFs.

MITRE ATT&CK Mapping

  • T1036.005 - Masquerading: Match Legitimate Name or Location
  • T1574.002 - Hijack Execution Flow: DLL Side-Loading
  • T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
  • T1059.001 - Command and Scripting Interpreter: PowerShell
  • T1140 - Deobfuscate/Decode Files or Information
  • T1055 - Process Injection
  • T1219 - Remote Access Software

Additional IOCs

  • Domains:
    • irandonation[[.]]org - Fake donation site redirecting payments to suspicious cryptocurrency wallets.
    • nowarwithiran[[.]]store - Fraudulent conflict-themed shopping site.
    • khameneisol[[.]]xyz - Meme-coin pump-and-dump promotion site.
  • Urls:
    • www.e-kflower[.]com/_prozn/_skin_mbl/home/KApp.rar - URL used by shellcode to download WebFeatures.exe.
    • www.e-kflower[.]com/_prozn/_skin_mbl/home/KAppl.rar - URL used by shellcode to download kugou.dll.
  • Registry Keys:
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\BaiNetdisk - Persistence Run key for ShellFolder loader.
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ACboardCm - Persistence Run key for LOTUSLITE downloader.
    • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ASEdge - Persistence Run key for LOTUSLITE WebFeatures.exe.
  • File Paths:
    • C:\ProgramData\CClipboardCm\libmemobook.dll - Malicious DLL sideloaded by SafeChrome.exe.
    • C:\ProgramData\CClipboardCm\SafeChrome.exe - Legitimate host executable copied for persistence.
    • C:\ProgramData\CClipboardCm\WebFeatures.exe - Legitimate data importer utility dropped by LOTUSLITE.
    • C:\ProgramData\CClipboardCm\kugou.dll - Malicious DLL sideloaded by WebFeatures.exe.
    • C:\ProgramData\WebFeatures\WebFeatures.exe - Legitimate executable used for LOTUSLITE persistence.
    • C:\ProgramData\WebFeatures\kugou.dll - Malicious DLL sideloaded by WebFeatures.exe.
    • %AppData%\BaiduNetdisk\ShellFolder.exe - Legitimate executable used to sideload ShellFolderDepend.dll.
  • Command Lines:
    • Purpose: Establishes persistence for the ShellFolder loader via Registry Run key. | Tools: reg.exe | Stage: Persistence
    • Purpose: Executes the LOTUSLITE payload via a legitimate KuGou utility. | Tools: WebFeatures.exe | Stage: Execution | WebFeatures.exe -Edge
    • Purpose: Decompiles malicious CHM file to extract secondary payloads. | Tools: hh.exe | Stage: Execution | hh.exe -decompile
  • Other:
    • photo_2026-03-01_01-20-48.pdf.lnk - Stage 1 LNK filename used in GCC targeted attack.
    • Iran Strikes U.S. Military Facilities Across Gulf Region.exe - Renamed KuGou executable used to sideload LOTUSLITE.
    • 20260301@@@ - RC4 decryption key for shellcode.

Related