After a two-year period of minimal targeting in the region, the China-aligned threat actor has set its sights on European government and diplomatic organizations from mid-2025.
The campaign has been attributed TA416A group of activity that overlaps with Darkpenny, RedDelta, Red Lich, SmogX, UNC6384, and Vertigo Panda.
Proofpoint researchers Mark Kelly and Georgi Mladenov said, “This TA416 activity involved several waves of web bug and malware delivery campaigns against diplomatic missions in several European Union and NATO countries.”
“During this period, TA416 regularly changed its infection chain, including abusing Cloudflare Turnstile challenge pages, abusing OAuth redirects, and using C# project files, as well as repeatedly updating its custom PlugX payload.”
TA416 has also been seen conducting several missions aimed at diplomatic and government entities in the Middle East following the outbreak of the US–Israel–Iran conflict in late February 2026. The enterprise security company said the effort was likely an effort to gather regional intelligence related to the conflict.
It is worth mentioning here that TA416 also shares historical technical overlap with another cluster called Mustang Panda (aka SerenaKeeper, Red Ishtar and UNK_SteadySplit). The two activity groups are collectively tracked under the aliases Earth Preta, Hive0154, Honeymite, Stately Taurus, Temp.Hex, and Twill Typhoon.
While TA416 attacks have been characterized by the use of custom PlugX variants, the Mustang Panda cluster has repeatedly deployed tools such as toneshell, pubload, and coolclient in recent attacks. What they both have in common is the use of DLL side-loading to launch malware.
TA416’s renewed focus on European entities is driven by a mix of web bugs and malware delivery campaigns, in which threat actors use Freemail sender accounts to conduct reconnaissance and deploy PlugX backdoors through malicious archives hosted on Microsoft Azure Blob storage, Google Drive, domains under their control, and compromised SharePoint instances. PlugX malware campaigns were first documented by StrikeReady and Arctic Wolf in October 2025.
Proofpoint said, “A web bug (or tracking pixel) is a small invisible object embedded in an email that when opened triggers an HTTP request to a remote server, revealing the recipient’s IP address, user agent, and access time, allowing the threat actor to assess whether the email was opened by the intended target.”
Attacks conducted by TA416 in December 2025 leveraged third-party Microsoft Entra ID cloud applications to initiate redirects that could lead to the download of malicious archives. The phishing emails used as part of this attack wave contained a link to Microsoft’s legitimate OAuth authorization endpoint, which, when clicked, redirected the user to an attacker-controlled domain and ultimately deployed PlugX.
The use of this technique has not escaped the attention of Microsoft, which last month warned of phishing campaigns targeting government and public sector organizations that use the OAuth URL redirection mechanism to bypass traditional phishing protections implemented in emails and browsers.
Further refinements to the attack chain were seen in February 2026, when TA416 began linking to archives hosted on Google Drive or a compromised SharePoint instance. In this case, the downloaded archives contain a legitimate Microsoft MSBuild executable and a malicious C# project file.
“When the MSBuild executable is run, it searches the current directory for the project file and automatically builds it,” the researchers said. “In the observed TA416 activity, the CSPROJ file acts as a downloader, decoding three base64-encoded URLs to fetch a DLL side-loading triad from a TA416-controlled domain, saving them in the user’s temporary directory, and executing a legitimate executable to load PlugX via the group’s specific DLL side-loading chain.”
PlugX malware has been consistently present throughout TA416 infiltrations, although the number of legitimate, signed executables abused for DLL side-loading has varied over time. The backdoor is also known to establish an encrypted communication channel with its command-and-control (C2) servers, but not before conducting anti-analysis checks to avoid detection.
PlugX accepts five different commands –
- 0x00000002To get system information
- 0x00001005To uninstall malware
- 0x00001007To adjust beaconing interval and timeout parameters
- 0x00003004To download and execute a new payload (EXE, DLL, or DAT)
- 0x00007002To open a reverse command shell
“After a two-year focus on Southeast Asia and Mongolia, TA416’s move back to a European government target of mid-2025 is consistent with a renewed intelligence-collection focus against EU and NATO-allied diplomacy entities,” Proofpoint said.
“Furthermore, the extension of TA416 to Middle Eastern government targeting in March 2026 highlights how the group’s work priorities are influenced by geopolitical flashpoints and escalations. During this period, the group has shown a willingness to iterate on infection chains using fake Cloudflare turnstile pages, OAuth redirect abuse, and MSBuild-based delivery, while continuing to update its customized PlugX backdoor.”
The revelations come as Darktrace revealed that Chinese-Nexus cyber operations have evolved from strategically aligned activity in the 2010s to highly adaptive, identity-focused infiltrations intended to establish long-term persistence within critical infrastructure networks.
Based on a review of attack campaigns between July 2022 and September 2025, US-based organizations accounted for 22.5% of all global incidents, followed by Italy, Spain, Germany, Thailand, the UK, Panama, Colombia, the Philippines, and Hong Kong. The majority of cases (63%) involved exploiting Internet-facing infrastructure (for example, CVE-2025-31324 and CVE-2025-0994) to gain initial access.
“In one notable case, the actor had completely compromised the environment and established persistence, but was re-exposed to the environment after more than 600 days,” Darktrace said. “The operational pause underscores both the depth of the infiltration and the actor’s long-term strategic intentions.”
