China-aligned threat actors have been targeting European governments and diplomatic institutions since mid-2025, after two years of minimal targeting in the region.
This campaign is attributed to TA416, a cluster of activity that overlaps with DarkPeony, RedDelta, Red Lich, SmugX, UNC6384, and Vertigo Panda.
“This TA416 activity included multiple waves of web bug and malware distribution campaigns against European Union and NATO diplomatic missions in European countries,” said Proofpoint researchers Mark Kelly and Georgi Mladenov.
“Throughout this period, TA416 periodically changed its infection chain, including exploiting Cloudflare Turnstile challenge pages, exploiting OAuth redirects, using C# project files, and frequently updating custom PlugX payloads.”
TA416 has also been observed organizing multiple campaigns targeting diplomatic and government institutions in the Middle East following the outbreak of the US-Israel-Iran conflict in late February 2026. The effort is likely an attempt to gather local intelligence on the conflict, the enterprise security firm added.
It’s worth mentioning here that TA416 also has historical technical overlap with another cluster known as Mustang Panda (also known as CerenaKeeper, Red Ishtar, and UNK_SteadySplit). The two activity groups are tracked together under the names Earth Preta, Hive0154, HoneyMyte, Stately Taurus, Temp.HEX, and Twill Typhoon.
While TA416’s attacks are characterized by the use of custom PlugX variants, the Mustang Panda cluster has repeatedly deployed tools such as TONESHELL, PUBLOAD, and COOLCLIENT in recent attacks. What they both have in common is the use of DLL sideloading to launch their malware.
TA416’s renewed focus on European organizations is a combination of web bugs and malware distribution campaigns in which attackers use free email sender accounts to conduct reconnaissance and deploy PlugX backdoors via malicious archives hosted on Microsoft Azure Blob Storage, Google Drive, managed domains, and compromised SharePoint instances. The PlugX malware campaign was previously documented by StrikeReady and Arctic Wolf in October 2025.
“A web bug (or tracking pixel) is a small invisible object embedded in an email that, when opened, triggers an HTTP request to a remote server, revealing the recipient’s IP address, user agent, and access time, allowing an attacker to assess whether the email was opened by its intended target,” Proofpoint said.
The attack carried out by TA416 in December 2025 was found to leverage a third-party Microsoft Entra ID cloud application to initiate a redirect that led to the download of a malicious archive. The phishing emails used as part of this attack wave contained a link to a legitimate Microsoft OAuth authentication endpoint that, when clicked, redirected the user to an attacker-controlled domain, ultimately deploying PlugX.
The use of this technology did not escape Microsoft’s notice. Last month, Microsoft warned of phishing campaigns targeting government and public sector organizations that employ OAuth URL redirection mechanisms to circumvent traditional phishing protections implemented in email and browsers.
Further refinements to the attack chain were observed in February 2026, when TA416 began linking to archives hosted on Google Drive or compromised SharePoint instances. In this case, the downloaded archive contains a legitimate Microsoft MSBuild executable and a malicious C# project file.
“When the MSBuild executable is run, it searches for the project file in the current directory and builds it automatically,” the researchers said. “In the observed TA416 activity, the CSPROJ file acts as a downloader, decoding three Base64-encoded URLs to retrieve DLL sideloading triads from the TA416-controlled domain, saving them to the user’s temporary directory, and running a legitimate executable to load PlugX through the group’s typical DLL sideloading chain.”
While the legitimate signed executables exploited for DLL sideloading change over time, PlugX malware remains consistent across TA416 intrusions. The backdoor is also known to establish an encrypted communication channel with a command and control (C2) server, but before doing so it performs anti-analysis checks to evade detection.
PlugX accepts 5 different commands –
0x00000002, Get system information 0x00001005, Uninstall malware 0x00001007, Adjust beacon interval and timeout parameters 0x00003004, Download and run new payload (EXE, DLL, or DAT) 0x00007002, Open reverse command shell
“TA416’s return to European government targets in mid-2025 after two years focused on Southeast Asia and Mongolia is consistent with a renewed intelligence gathering focus for EU and NATO member diplomatic agencies,” Proofpoint said.
“Furthermore, TA416’s expansion to target Middle Eastern governments in March 2026 further highlights how this group’s mission priorities are likely to be influenced by geopolitical flashpoints and escalations throughout this period. The group has demonstrated a willingness to repeat the infection chain by repeatedly using fake Cloudflare turnstile pages, OAuth redirect abuse, and MSBuild-based distribution while continuing to update customized PlugX backdoors.
The disclosure comes after Darktrace revealed that China-aligned cyber operations have evolved from strategically coordinated operations in the 2010s to more adaptive, identity-centric intrusions aimed at establishing long-term persistence within critical infrastructure networks.
Based on a review of attack campaigns from July 2022 to September 2025, US-based organizations accounted for 22.5% of global events, followed by Italy, Spain, Germany, Thailand, the UK, Panama, Colombia, the Philippines, and Hong Kong. The majority of cases (63%) involved the exploitation of internet-facing infrastructure (such as CVE-2025-31324 and CVE-2025-0994) to gain initial access.
“In one notable case, an attacker had fully compromised an environment and established persistence, only to reappear in the environment more than 600 days later,” Darktrace said. “The operational halt highlights both the depth of the infiltration and the long-term strategic intentions of the attackers.”
Source link
