China-nexus Group Targets Arabian Gulf Region

This technical analysis describes a March 1, 2026 multi-stage PlugX campaign that delivered a PlugX backdoor via a ZIP archive containing LNK and CHM artifacts; the report details the shellcode loader, control-flow-flattened PlugX loader, reflective DLL injection, multiple anti-forensics and obfuscation techniques, decrypted configuration (including C2 https://91.193.17.117:443), persistence methods, supported plugins, and IOCs.