A cyber threat actor aligned with China has been targeting European government and diplomatic organizations since mid-2025, following a period of minimal activity in the region. This campaign has been attributed to TA416, which is associated with various other activity clusters such as DarkPeony, RedDelta, and Red Lich.
According to researchers at Proofpoint, TA416 has conducted multiple waves of web bug and malware delivery campaigns against diplomatic missions to the European Union and NATO in several European countries. The threat actor has been constantly evolving its infection chain, utilizing tactics like abusing Cloudflare Turnstile challenge pages and OAuth redirects, as well as updating its custom PlugX payload.
In addition to targeting European entities, TA416 has also been involved in campaigns aimed at diplomatic and government entities in the Middle East following the U.S.-Israel-Iran conflict in late February 2026. The group’s activities are believed to be focused on gathering intelligence related to the conflict.
TA416 shares technical similarities with another cluster known as Mustang Panda, with both groups known for using DLL side-loading to launch malware. While TA416 primarily deploys bespoke PlugX variants, Mustang Panda has been observed using tools like TONESHELL and PUBLOAD in recent attacks.
The recent focus of TA416 on European entities involves a mix of web bug and malware delivery campaigns. The threat actors use freemail sender accounts for reconnaissance and deploy the PlugX backdoor through malicious archives hosted on various platforms such as Microsoft Azure Blob Storage, Google Drive, and compromised SharePoint instances.
One of the techniques observed in TA416 attacks is the use of web bugs embedded in emails to track recipients’ IP addresses and user agents. These web bugs trigger HTTP requests to remote servers, allowing threat actors to assess whether the emails were opened by the intended targets.
Microsoft has warned of phishing campaigns targeting government and public-sector organizations that exploit OAuth URL redirection mechanisms to bypass traditional phishing defenses in emails and browsers.
TA416’s attack chain has seen refinements, with the group linking to archives hosted on Google Drive or compromised SharePoint instances. These archives contain legitimate Microsoft MSBuild executables and malicious C# project files used to load the PlugX malware via DLL side-loading.
PlugX malware, known for establishing encrypted communication with command-and-control servers, accepts various commands for system information capture, malware uninstallation, adjusting beaconing intervals, payload downloads, and opening reverse command shells.
The shift of TA416 back to targeting European government entities is seen as part of a renewed focus on intelligence collection against EU and NATO-affiliated diplomacy entities. The group’s expansion to Middle Eastern government targeting further reflects its adaptability based on geopolitical situations.
Darktrace has highlighted the evolution of Chinese-nexus cyber operations from strategically-aligned activities to identity-centric intrusions aimed at long-term persistence within critical infrastructure networks.
Based on a review of attack campaigns, U.S.-based organizations accounted for a significant portion of global events, with other countries like Italy, Spain, and Germany also being targeted. The exploitation of internet-facing infrastructure for initial access was a common tactic observed in these attacks.
