TA416 Revives Espionage Against European Governments and NATO Missions
Proofpoint reported that China-aligned threat actor TA416 resumed sustained cyberespionage against European government, diplomatic, and NATO-linked targets from mid-2025, ending a lull in its EU-focused activity. The campaign heavily targeted diplomatic missions to the EU and NATO, with lures tied to geopolitical issues including EU-China trade tensions, the Russia-Ukraine war, rare earth exports, humanitarian concerns, interview requests, collaboration proposals, and claims about Europe sending troops to Greenland. Researchers said the actor used reconnaissance-focused web bugs and phishing emails to profile victims before attempting malware delivery.
The intrusion chains evolved repeatedly but consistently aimed to install a customized PlugX backdoor via DLL sideloading. Proofpoint observed fake Cloudflare Turnstile pages, abuse of Microsoft Entra ID OAuth redirects, and renamed MSBuild binaries paired with malicious C# project files, alongside updates to TA416's PlugX loader, persistence mechanisms, command-and-control protocol, and configuration encryption. The group also relied on re-registered domains, Cloudflare CDN masking, and VPS infrastructure, and in March 2026 expanded targeting to Middle Eastern diplomatic and government entities after conflict erupted in Iran, indicating intelligence collection driven by fast-moving geopolitical developments.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
TA416 targets Indian banks and US-Korea policy circles with LotusLite
By April 2026, Acronis attributed a newly identified campaign to TA416/Mustang Panda that primarily targeted financial organizations in India and also targeted individuals in US-Korea diplomatic and policy circles using Victor Cha-themed lures. The activity used malicious files, DLL sideloading, Registry persistence, and a LotusLite backdoor variant for espionage rather than banking theft.
Proofpoint publishes analysis of renewed TA416 espionage activity
Proofpoint publicly reported that TA416 had resumed European government espionage from mid-2025 and documented updates to its PlugX tooling, infrastructure, and targeting patterns. The report also noted overlap with public reporting on RedDelta, Red Lich, Vertigo Panda, SmugX, and DarkPeony while distinguishing the activity from UNK_SteadySplit.
TA416 expands targeting to Middle Eastern diplomatic and government entities
In March 2026, Proofpoint observed TA416 broaden its espionage activity to diplomatic and government targets in the Middle East following the outbreak of conflict in Iran. Researchers assessed the expansion as likely driven by new geopolitical intelligence collection priorities.
TA416 runs evolving phishing and malware delivery campaigns in Europe
During the renewed European campaign, TA416 used reconnaissance web bugs, phishing lures, fake Cloudflare Turnstile pages, Microsoft Entra ID OAuth redirect abuse, and renamed MSBuild executables with malicious C# project files. These infection chains were designed to deliver a customized PlugX backdoor via DLL sideloading.
TA416 resumes sustained espionage against European government targets
From mid-2025, the China-aligned threat actor TA416 renewed sustained targeting of European government and diplomatic organizations after a lull in EU-focused activity. The campaign concentrated on diplomatic missions and delegations linked to the EU and NATO amid heightened geopolitical tensions.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
Chinese APT Targets Indian Banks, Korean Policy Circles
darkreading.com
Open sourceChina-Linked TA416 Targets European Governments with PlugX and OAuth-Based Phishing
thehackernews.com
Open sourceNew Chinese cyberespionage campaigns strike Europe | brief | SC Media
scworld.com
Open sourceTA416 Expands Espionage Operations Across Europe With Web Bug Recon and Malware Delivery - Cyber Security News
cybersecuritynews.com
Open sourceEuropean-Chinese geopolitical issues drive renewed cyberespionage campaign | CyberScoop
cyberscoop.com
Open sourceI’d come running back to EU again: TA416 resumes European government espionage campaigns | Proofpoint US
proofpoint.com
Open sourceI’d come running back to EU again: TA416 resumes European government espionage campaigns - Infosec.Pub
infosec.pub
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
UNC6384 Espionage Campaign Exploits Windows Shortcut Vulnerability Against European Diplomats
Chinese state-sponsored threat actor UNC6384 conducted a targeted cyber-espionage campaign against European diplomatic entities in Hungary, Belgium, Italy, the Netherlands, and Serbia during September and October 2025. The attackers exploited an unpatched Windows shortcut vulnerability (ZDI-CAN-25373), first disclosed in March 2025, to deliver the PlugX remote access trojan via spearphishing emails themed around European Commission meetings, NATO workshops, and multilateral diplomatic events. The campaign leveraged advanced social engineering, detailed knowledge of diplomatic calendars, and multi-stage malware delivery chains, including DLL side-loading through legitimate Canon printer utilities. Arctic Wolf Labs and other researchers attributed the activity to UNC6384, noting the group’s rapid adoption of public vulnerabilities and operational expansion from Southeast Asia to Europe. The campaign’s objectives included stealing sensitive defense and national security information, monitoring NATO and EU policy development, and assessing European military readiness and supply chain resilience. The attacks began with highly targeted phishing lures, leading to the exploitation of ZDI-CAN-25373 and subsequent deployment of PlugX, which enabled remote access, data theft, and further malware installation. The campaign highlights the ongoing risk posed by unpatched vulnerabilities and the increasing sophistication of Chinese cyber-espionage operations targeting Western diplomatic and governmental organizations.
Mar 21, 2026
Chinese APT Spearphishing Campaign Using Fake Cloudflare Lures to Deploy PlugX Malware
Chinese state-sponsored threat actors have launched a sophisticated spearphishing campaign targeting government and aviation agencies across Europe, including a Serbian aviation agency. The attackers crafted malicious emails that appeared to be related to European government business, enticing recipients to click on links that redirected them to fraudulent Cloudflare verification pages. These fake pages were designed to deliver malware payloads, specifically PlugX, Sogu, and Korplug, which are commonly associated with Chinese cyberespionage groups. The campaign began in late September and has affected organizations in Serbia, Italy, Belgium, Hungary, and the Netherlands. Security researchers have attributed the activity to Chinese APTs, with some overlap in tactics and malware families used by groups such as Mustang Panda and UNC6384. The PlugX malware, a remote access trojan, enables attackers to exfiltrate sensitive data and maintain persistent access within compromised networks. The campaign's use of legitimate-looking Cloudflare lures increases the likelihood of successful credential harvesting and malware deployment. In response to the widespread use of PlugX, U.S. law enforcement, including the Justice Department and FBI, conducted operations to remove the malware from thousands of infected computers in the United States. The campaign demonstrates a high level of operational security, leveraging tailored phishing lures and multi-stage infection chains to evade detection. Security researchers have noted that the attackers continuously adapt their techniques, making use of current events and trusted brands to increase the credibility of their phishing emails. The deployment of multiple malware families in a single campaign suggests a broad espionage objective, targeting both information theft and long-term access. The campaign's cross-border nature highlights the global reach of Chinese cyberespionage operations. Organizations are advised to implement robust email filtering, user awareness training, and endpoint detection to mitigate the risk of similar attacks. The incident underscores the persistent threat posed by Chinese APTs to critical infrastructure and government entities worldwide. Ongoing analysis by cybersecurity firms continues to reveal new indicators of compromise and evolving tactics associated with this campaign. The use of PlugX and related malware remains a hallmark of Chinese cyberespionage, with attackers refining their delivery methods to bypass traditional security controls. The campaign's discovery has prompted increased collaboration between international law enforcement and private sector security teams to disrupt the threat and protect targeted organizations.
Mar 21, 2026
Middle East Conflict Triggers Spike in State-Linked Espionage and Malware Campaigns
Escalating conflict following **Operation Epic Fury** (US/Israel strikes inside Iran) has coincided with increased cyber activity targeting Middle East and adjacent interests. Proofpoint reported that Iran-aligned **TA453** (*Charming Kitten / Mint Sandstorm / APT42*) continued intelligence collection during the conflict, including a **credential-phishing** attempt against a US think tank observed on **8 March**, and noted additional campaigns against Middle East government organizations with suspected links to multiple state or state-aligned actors (including suspected attribution to **China, Belarus, Pakistan, and Hamas**). Despite reported Iranian internet shutdown measures after the initial strikes, espionage-focused operations were assessed as ongoing. Check Point Research separately identified China-linked activity targeting **Qatar**, using conflict-themed lures (e.g., fake “war news”/damage imagery) to deliver malware, including **PlugX** and **Cobalt Strike**, with tradecraft described as a multi-stage chain involving a compromised server and **DLL hijacking** via a legitimate application (*Baidu NetDisk*) to load the backdoor—highlighting rapid weaponization of breaking news to target **energy** and **military** sectors. Other items in the set were not part of this conflict-driven espionage theme: one report described a Russian-speaking **‘BlackSanta’** BYOVD-based “EDR killer” delivered via HR workflow abuse and steganographic images, and a weekly threat bulletin summarized unrelated breaches and research (e.g., AkzoNobel, LexisNexis, Wikimedia worm, TriZetto, and AI-related threats).
Mar 21, 2026