China-Linked TA416 Targets European Governments for PlugX and OAuth-Based Phishing
The threat actor associated with China has been facing European governments and official organizations since mid-2025, following a two-year period of less focus on the region.
This campaign has been exposed TA416a collection of work that overlaps with DarkPeony, RedDelta, Red Lich, SmugX, UNC6384, and Vertigo Panda.
“This TA416 operation includes multiple waves of web bug and malware delivery campaigns against European Union and NATO proxies in several European countries,” said Proofpoint researchers Mark Kelly and Georgi Mladenov.
“Throughout this time, TA416 has been changing its infection chain, including abusing Cloudflare Turnstile challenge pages, abusing OAuth redirects, and using C# project files, as well as constantly updating its custom PlugX payload.”
TA416 has also been seen organizing multiple campaigns targeting diplomatic and government organizations in the Middle East following the outbreak of the US-Israel-Iran conflict in late February 2026. The effort is likely an attempt to gather regional intelligence related to the conflict, the security firm added.
It’s worth mentioning here that TA416 also shares a historical overlap with another cluster known as Mustang Panda (also known as CerenaKeeper, Red Ishtar, and UNK_SteadySplit). The two workgroups are jointly tracked under the moniker Earth Preta, Hive0154, HoneyMyte, Stately Taurus, Temp.HEX, and Twill Typhoon.
While the TA416 attack is characterized by the use of various PlugX looks, the Mustang Panda group has released tools such as TONESHELL, PUBLOAD, and COOLCLIENT over and over again. Common to both is the use of DLL side-loading to launch malware.
TA416’s renewed focus on European companies is driven by a combination of web bugs and malware delivery campaigns, threat actors using freemail sender accounts to test and exploit the PlugX backdoor through malicious archives hosted on Microsoft Azure Blob Storage, Google Drive, domains under their control, and vulnerable environments. PlugX malware campaigns were previously documented by StrikeReady and Arctic Wolf in October 2025.
“A web bug (or tracking pixel) is a small invisible object embedded in an email that initiates an HTTP request to a remote server when it is opened, revealing the recipient’s IP address, user agent, and access time, allowing a threat actor to verify that the email was opened by the target,” Proofpoint said.
An attack carried out by TA416 in December 2025 was found to leverage Microsoft’s Entra ID applications to launch redirects that lead to malicious archive downloads. The phishing emails used as part of this attack wave contain a link to Microsoft’s OAuth authorization endpoint which, when clicked, redirects the user to a domain controlled by the attacker and ultimately downloads PlugX.
The use of this program has not escaped notice from Microsoft, which last month warned of phishing campaigns targeting governments and public organizations that use OAuth URL redirection methods to bypass standard phishing protections used in email and browsers.
Another development of the attack chain was observed in February 2026, when TA416 started connecting to archives hosted on Google Drive or a vulnerable SharePoint instance. The downloaded archives, in this case, include the official Microsoft MSBuild executable and the malicious C# project file.
“When the MSBuild executable is run, it searches the current directory for the project file and builds it automatically,” the researchers said. “In the observed operation of TA416, the CSPROJ file acts as a downloader, recording three Base64-encoded URLs to download the triangle sideloading DLL from a domain controlled by TA416, saving them in the user’s temporary directory, and creating a valid executable to load PlugX with a standard Dchain group load.”
The PlugX malware has been consistently present in all TA416 interventions, although the official, signed executables exploited by the sideloading DLL have varied over time. The backdoor is also known to establish an encrypted communication channel with its Command-and-control (C2) server, but not before performing anti-intelligence checks to avoid detection.
PlugX accepts five different commands –
- 0x00000002to capture system information
- 0x00001005remove malware
- 0x00001007adjusting the light interval and timeout parameter
- 0x00003004download a new payload (EXE, DLL, or DAT) and run it
- 0x00007002to open a reverse command shell
“The return of TA416 to the European government towards mid-2025, following a two-year focus on Southeast Asia and Mongolia, coincides with the regrouping of the intelligence collection against EU and NATO-affiliated communications organizations,” Proofpoint said.
“Furthermore, the extension of TA416 in the direction of the Middle East government in March 2026 also highlights that the group’s prioritization may be influenced by geopolitical flashpoints and escalation. All this time, this group has shown the willingness to multiply by chains of infection, cycling through the Cloudflare Turnstile i fake, MS redirect pages, MS customized plugX back door.”
The disclosure comes as Darktrace revealed that Chinese-nexus cyber operations have evolved from strategically aligned operations in the 2010s to dynamic, proprietary penetration with the aim of establishing long-term persistence within critical infrastructure networks.
Based on a review of attack campaigns between July 2022 and September 2025, US-based organizations accounted for 22.5% of all global events, followed by Italy, Spain, Germany, Thailand, the UK, Panama, Colombia, the Philippines, and Hong Kong. The majority of cases (63%) involved exploiting Internet-facing infrastructure (eg, CVE-2025-31324 and CVE-2025-0994) to gain initial access.
“In one notable incident, the actor had completely compromised the environment and established persistence, only to reappear in the area for more than 600 days,” said Darktrace. “The suspension underscores both the depth of penetration and the actor’s long-term strategic intent.”
