China-nexus Group Targets Persian Gulf Region

This technical report analyzes a March 1, 2026 multi-stage intrusion that used a ZIP archive with a malicious LNK to download a CHM, extract a TAR containing ShellFolder.exe and ShellFolderDepend.dll, and deploy an encrypted shellcode chain that reflectively loads a PlugX backdoor; the analysis documents DLL sideloading, inline API hooks, custom XOR/PRNG/RC4 decryption routines, control-flow-flattened shellcode, corrupted MZ/PE headers used as anti-forensics and a context structure for configuration, persistence mechanisms, supported C2 channels and commands, plugins, and IOCs including the C2 endpoint https://91.193.17.117:443.