Since mid-2025 the China-aligned actor TA416 has resumed targeting European government and diplomatic organizations using web bugs and evolving malware delivery chains. The group repeatedly modified its infection techniques—abusing Cloudflare Turnstile, OAuth redirects, MSBuild/C# project files, and hosting payloads on Azure Blob Storage, Google Drive, and compromised SharePoint—while expanding operations to Middle Eastern targets in early 2026. #TA416 #PlugX #CloudflareTurnstile #MicrosoftEntraID #MSBuild #MustangPanda #NATO #EuropeanUnion
Keypoints
- TA416 revived a campaign against European diplomatic and government organizations beginning in mid-2025 using web bugs and malware-laden archives.
- The group constantly iterated its infection chain, leveraging Cloudflare Turnstile pages, OAuth redirect abuse, and MSBuild/C# project files to deploy payloads.
- PlugX backdoor variants were delivered via malicious archives hosted on Azure Blob Storage, Google Drive, attacker-controlled domains, and compromised SharePoint instances.
- Attackers used DLL side-loading with legitimate signed executables and PlugX supports commands for system reconnaissance, payload download/execution, beacon adjustments, reverse shells, and uninstallation.
- TA416 shows overlap with Mustang Panda and shifted focus to Middle Eastern targets in early 2026, indicating geopolitically driven intelligence-collection priorities and long-term persistence tactics.
Read More: https://thehackernews.com/2026/04/china-linked-ta416-targets-european.html