A China-aligned threat actor, TA416, has intensified its targeting of European government and diplomatic organizations since mid-2025, employing sophisticated phishing techniques and malware delivery methods.
Recent Campaigns and Targeting
TA416 has been linked to a series of cyber operations aimed at diplomatic missions within the European Union and NATO, marking a notable shift after a two-year period of reduced activity in the region. Researchers from Proofpoint, Mark Kelly and Georgi Mladenov, noted that this group has conducted multiple waves of attacks, utilizing various methods to deliver malware, including the abuse of Cloudflare Turnstile challenge pages and OAuth redirects.
Technical Details of the Attacks
The attacks have prominently featured the use of the PlugX malware, which has undergone frequent updates throughout the campaign. TA416 has employed a range of techniques for reconnaissance and malware deployment, including the use of freemail accounts to send phishing emails that lead to malicious archives hosted on platforms like Microsoft Azure Blob Storage and Google Drive.
In December 2025, TA416 leveraged third-party Microsoft Entra ID cloud applications to initiate redirects to malicious downloads. These phishing emails contained links to legitimate Microsoft OAuth authorization endpoints, which redirected users to attacker-controlled domains, ultimately facilitating the deployment of PlugX.
Evolution of Attack Techniques
As the campaign progressed, refinements in the attack chain were observed. By February 2026, TA416 began linking to archives that included a legitimate Microsoft MSBuild executable alongside a malicious C# project file. When executed, this setup allowed the malware to be downloaded and executed through a DLL side-loading technique.
The PlugX malware establishes an encrypted communication channel with its command-and-control (C2) server and performs anti-analysis checks to evade detection. It accepts various commands, such as capturing system information and downloading new payloads.
Geopolitical Context and Implications
TA416’s renewed focus on European entities appears to be driven by geopolitical factors, particularly in light of the ongoing U.S.-Israel-Iran conflict, which has prompted the group to also target government entities in the Middle East. This shift highlights a strategic intent to gather intelligence relevant to regional tensions.
Overall, the resurgence of TA416’s activities underscores a broader trend of evolving cyber operations linked to Chinese threat actors, who are increasingly employing adaptive techniques to maintain long-term access to critical infrastructure networks.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
