TA416 resumes European government espionage campaigns

Since mid-2025, China-aligned threat actor TA416 has resumed targeting European government and diplomatic organizations after a two-year operational shift to Southeast Asia. The campaigns primarily focused on diplomatic missions to the EU and NATO, using web bug reconnaissance and malware delivery through compromised accounts and attacker-controlled infrastructure. In March 2026, TA416 expanded operations to Middle Eastern diplomatic entities following the Iran conflict outbreak. Throughout this period, the actor continuously evolved infection chains, utilizing fake Cloudflare Turnstile pages, OAuth redirect abuse, and C# project files to deliver a customized PlugX backdoor via DLL sideloading. The group employed both broad reconnaissance campaigns and targeted malware delivery, demonstrating sophisticated tradecraft including use of re-registered legitimate domains and cloud infrastructure for command and control operations.

Pulse ID: 69d4e667e8ab2d6d4082fc5b
Pulse Link: https://otx.alienvault.com/pulse/69d4e667e8ab2d6d4082fc5b
Pulse Author: AlienVault
Created: 2026-04-07 11:11:35

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Asia #BackDoor #China #Cloud #CyberSecurity #EU #Espionage #Europe #Government #InfoSec #Iran #Malware #MiddleEast #NATO #OTX #OpenThreatExchange #PlugX #RAT #SideLoading #Troll #bot #AlienVault