Ethical Hacking News

A China-Linked Threat Actor Targets European Governments: The TA416 Malware Campaign

Chinese-linked threat actor TA416 targets European governments with PlugX and OAuth-based phishing campaigns, demonstrating a renewed focus on intelligence collection and expanding its reach into Middle Eastern government targeting. The malicious activities highlight the sophistication and adaptability of this threat actor, emphasizing the need for robust cybersecurity strategies to mitigate its impact.

TA416, a Chinese threat actor, has been targeting European governments and diplomatic organizations with malicious tactics since mid-2025.

TA416's activities overlap with other notable threat groups, including DarkPeony, RedDelta, and SmugX.

The threat actor uses bespoke PlugX variants, OAuth-based phishing emails, and DLL side-loading triads to deliver malware.

TA416 has employed various techniques to evade detection, including abusing Cloudflare Turnstile challenge pages and Microsoft Entra ID cloud applications.

The malware establishes an encrypted communication channel with its command-and-control (C2) server and accepts five different commands for execution.

TA416's renewed focus on European government targeting is consistent with a renewed intelligence-collection focus against EU and NATO-affiliated diplomacy entities.

A recent report by cybersecurity firm Proofpoint has shed light on a sophisticated threat actor linked to China, dubbed TA416, which has been targeting European governments and diplomatic organizations with a range of malicious tactics. According to the report, TA416's activities have been observed in the region since mid-2025, following a two-year period of minimal targeting.

The TA416 threat actor is believed to be part of a cluster of activity that overlaps with other notable threat groups, including DarkPeony, RedDelta, Red Lich, SmugX, UNC6384, and Vertigo Panda. This cluster of activities has been collectively tracked under the monikers Earth Preta, Hive0154, HoneyMyte, Stately Taurus, Temp.HEX, and Twill Typhoon.

TA416's malicious campaign against European governments and diplomatic organizations includes multiple waves of web bug and malware delivery campaigns, which have been characterized by the use of bespoke PlugX variants. These malicious payloads are delivered via freemail sender accounts, malicious archives hosted on Microsoft Azure Blob Storage, Google Drive, domains under their control, and compromised SharePoint instances.

The use of OAuth-based phishing emails has also been observed in TA416's campaigns, which redirect users to attacker-controlled domains, ultimately deploying PlugX. Furthermore, the threat actor has employed a range of techniques, including abusing Cloudflare Turnstile challenge pages, C# project files, and DLL side-loading triads to evade detection.

One notable technique used by TA416 is the abuse of Microsoft Entra ID cloud applications to initiate redirects that lead to the download of malicious archives. These phishing emails contain a link to Microsoft's legitimate OAuth authorization endpoint that, when clicked, redirects the user to the attacker-controlled domain and ultimately deploys PlugX.

The researchers at Proofpoint have also observed refinements to the attack chain in February 2026, where TA416 began linking to archives hosted on Google Drive or compromised SharePoint instances. The downloaded archives include a legitimate Microsoft MSBuild executable and a malicious C# project file.

When the MSBuild executable is run, it searches for a project file and automatically builds it. In the observed TA416 activity, the CSPROJ file acts as a downloader, decoding three Base64-encoded URLs to fetch a DLL side-loading triad from a TA416-controlled domain, saving them to the user's temp directory, and executing a legitimate executable to load PlugX via the group's typical DLL side-loading chain.

TA416's malware remains a consistent presence throughout its intrusions, although the legitimate, signed executables abused for DLL side-loading have varied over time. The backdoor is also known to establish an encrypted communication channel with its command-and-control (C2) server, but not before performing anti-analysis checks to sidestep detection.

The researchers have identified five different commands that PlugX accepts:

* 0x00000002, to capture system information
* 0x00001005, to uninstall the malware
* 0x00001007, to adjust beaconing interval and timeout parameter
* 0x00003004, to download a new payload (EXE, DLL, or DAT) and execute it
* 0x00007002, to open a reverse command shell

TA416's renewed focus on European government targeting in mid-2025 is consistent with a renewed intelligence-collection focus against EU and NATO-affiliated diplomacy entities. The group's expansion to Middle Eastern government targeting in March 2026 further highlights how the group's tasking prioritization is likely influenced by geopolitical flashpoints and escalations.

The disclosure comes as Darktrace revealed that Chinese-nexus cyber operations have evolved from strategically-aligned activity in the 2010s to highly adaptive, identity-centric intrusions with an intent to establish long-term persistence within critical infrastructure networks.

In addition, U.S.-based organizations accounted for 22.5% of all global events, followed by Italy, Spain, Germany, Thailand, the U.K., Panama, Colombia, the Philippines, and Hong Kong. A majority of cases (63%) involved the exploitation of internet-facing infrastructure to obtain initial access.

One notable case involved an actor who had fully compromised the environment and established persistence, only to resurface in the environment more than 600 days after. This operational pause underscores both the depth of the intrusion and the actor's long-term strategic intent.

In conclusion, TA416's malicious campaign against European governments and diplomatic organizations represents a significant threat to national security and critical infrastructure. The use of bespoke PlugX variants, OAuth-based phishing emails, and DLL side-loading triads demonstrates the sophistication and adaptability of this threat actor.

The researchers at Proofpoint have provided valuable insights into the tactics, techniques, and procedures (TTPs) employed by TA416, which will be essential in informing cybersecurity strategies and mitigating the impact of this threat actor's activities.

As the threat landscape continues to evolve, it is crucial that governments, organizations, and individuals remain vigilant and proactive in protecting themselves against such sophisticated threats.

Related Information:

https://www.ethicalhackingnews.com/articles/A-China-Linked-Threat-Actor-Targets-European-Governments-The-TA416-Malware-Campaign-ehn.shtml

https://thehackernews.com/2026/04/china-linked-ta416-targets-european.html

https://cybernews.com/security/chinese-spy-group-ta416-target-europe-nato/

https://hunt.io/blog/darkpeony-certificate-patterns

https://www.group-ib.com/media-center/press-releases/dark-pink-apt/

https://www.recordedfuture.com/research/reddelta-chinese-state-sponsored-group-targets-mongolia-taiwan-southeast-asia

https://apt.etda.or.th/cgi-bin/showcard.cgi?g=RedDelta

https://en.wikipedia.org/wiki/Double_Dragon_(hacking_group)

https://attack.mitre.org/groups/G0129/

https://securityaffairs.com/184083/apt/china-linked-unc6384-exploits-windows-zero-day-to-spy-on-european-diplomats.html

https://cloud.google.com/blog/topics/threat-intelligence/prc-nexus-espionage-targets-diplomats

https://www.darktrace.com/blog/how-chinese-nexus-cyber-operations-have-evolved-and-what-it-means-for-cyber-risk-and-resilience