The China-aligned espionage actor TA416 (RedDelta, Vertigo Panda, Red Lich) has been observed targeting European and Middle Eastern governments, a sign of how its priorities are likely influenced by geopolitical flashpoints and escalations.

It is a shift following two years of focus on Southeast Asia and Mongolia, with recent campaigns most heavily targeting individuals or mailboxes associated with diplomatic missions and delegations to NATO and the EU.

Our threat research blog has the details. https://www.proofpoint.com/us/blog/threat-insight/id-come-running-back-eu-again-ta416-resumes-european-government-espionag

Monetary concerns + federal deadlines + abundance of “time-sensitive” email advertisements. Tax season is a recipe for #cybercrime. Our researchers have seen hundreds of malicious tax-themed campaigns this year.

Read the threat brief: https://brnw.ch/21x1bsI

🚨 New tactics and activity: An increase in RMM payloads, activity from newly identified threat actors, and a broader variety of social engineering lures.

👉 Same end goal: To trick your users into clicking malicious links, downloading infected files, or sharing sensitive information.

See our team’s blog for campaign examples targeting organizations in the U.S., as well as Canada, Australia, Switzerland, and Japan, among others.

While #taxseason is a popular time for these types of lures, financial-themed campaigns are effective year-round. Proofpoint recommends organizations educate users about these scams and encourage them to stay vigilant. ⚠️

Proofpoint has directly observed a targeted email campaign that delivers DarkSword RCE, and we attribute the messages to Russian FSB threat actor TA446 with high confidence. We have not previously observed TA446 target users’ iCloud accounts or Apple devices, but the adoption of the leaked DarkSword iOS exploit kit has now enabled the actor to target iOS devices. TA446 does not overlap with UNC6353.

On March 26, 2026, Proofpoint observed many compromised senders spoofing the Atlantic Council in a campaign that we attribute to TA446 (Callisto, COLDRIVER, Star Blizzard, which is linked to Russia’s FSB Centre 18). The volume of emails from TA446 has been significantly higher over the last 2 weeks compared to normal operational tempo delivering the MAYBEROBOT backdoor via password-protected ZIP files. The activity on March 26 was a similar spike, but with links instead of attachments. Proofpoint automated analysis was redirected to a benign decoy PDF, likely because of server-side filtering to only redirect iPhone browsers to the exploit kit.

New reports on TA446 using the DarkSword iOS exploit kit were intriguing. The DarkSword iOS exploit kit was recently published on GitHub, but Proofpoint had not yet observed it in use in the wild. A DarkSword loader uploaded to VirusTotal (MD5: 5fa967dbef026679212f1a6ffa68d575) referenced escofiringbijou[.]com, a TA446 second-stage domain independently observed by Proofpoint, corroborating the group's use of DarkSword.

A submission on URLScan (https://urlscan.io/result/019d2c02-e06f-773f-a7a8-72516045f0da/#transactions) confirmed that the TA446-controlled domain was serving the DarkSword exploit kit, including the initial redirector, exploit loader, RCE, and PAC bypass components. The sandbox escapes were not observed.

Related compromised first stage domains also include motorbeylimited[.]com and bridetvstreaming[.]org. Only the activity from March 26 spoofing Atlantic Council has been linked to DarkSword usage; previous TA446 activity shows no indication of exploit use.

Proofpoint did not directly observe the iOS exploit kit delivery but believe the actor has adopted the exploit kit for the purposes of credential harvesting and intelligence collection. The targeting Proofpoint observed in the email campaigns was much wider than usual and included government, think tank, higher education, financial, and legal entities, indicating that this new capability led TA446 to attempt to use DarkSword opportunistically against a broader target set. This is a notable adoption, as Proofpoint has not previously observed TA446 targeting iOS devices.

Proofpoint researchers identified a targeted campaign against operations personnel at energy firms linked to projects in Pakistan.

We track the activity as UNK_VaporVibes.

The messages were sent on 18 March 2026, and mimicked invitations to the upcoming Pakistan Energy Exhibition & Conference (PEEC).

The actor used compromised accounts from a Pakistani university and a government organization to deliver PDF attachments with a fake Adobe Reader prompt.

The notable part came after the click. The PDF link used the “microsoft-edge:” URI scheme before redirecting to a Cloudflare Workers hosted (*[.]adobe-org[.]workers[.]dev) ClickOnce application resource.

We assess that the Edge scheme handoff was likely intended to direct victims into the browser path that supports the next stage.

This is consistent with UNK_VaporVibes’ repeated use of ClickOnce-focused delivery.

The redirect chain was also wrapped in geofencing and browser fingerprinting, limiting access to intended targets. That likely reduced the exposure to automated analysis while keeping the delivery path tightly scoped.

The ClickOnce execution chain leads to the Havoc Demon C2 framework (https://github.com/HavocFramework/Havoc), an open-source post exploitation tool.

The targeting, the PEEC-themed PDF lure, Edge redirection, and ClickOnce staging aligns with prior UNK_VaporVibes activity and shows overlaps with activity publicly associated with SloppyLemming. (https://arcticwolf.com/resources/blog/sloppylemming-deploys-burrowshell-and-rust-based-rat-to-target-pakistan-and-bangladesh/).

Indicators of compromise:

7487abe753e73070612c6e8573af9d58791389813a5b54ddcf740f1391e2cd20 (Adobe.application)
Demon C2 host: soc[.]pkcrt-0ea[.]workers[.]dev

Suricata rule to detect the Microsoft Edge redirect:
2068325 - ET HUNTING 302 Redirect to Microsoft Edge Browser

The cloud threat research team at Proofpoint has discovered an account takeover campaign targeting around 40,000 users. Malicious activity has been recorded as early as Feb. 2nd, with a surge on Feb. 10th and a peak on Feb. 12th.

For a large number of users, the attacker initially attempted to login with the correct credentials, although in most cases, conditional access policies and MFA denied access. This suggests the attacker relied, at least in part, on stolen or leaked credentials.

Malicious login attempts correlated to this campaign seem to originate from an outdated Google Chrome browser, namely version 72, initially released in January 2019. Nowadays, this specific user agent is rarely observed in legitimate activity.

Login attempts correlated to this campaign originated from more than 200 distinct domains, most of which are commercial VPN providers and TOR exit nodes.

Moreover, this campaign solely targets the Microsoft Office 365 Portal.

IoCs:

User agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36

Application ID: 00000006-0000-0ff1-ce00-000000000000 (Microsoft Office 365 Portal)

Since the start of Operation Epic Fury on February 28, 2026, Proofpoint researchers have observed heightened cyber activity against Middle East targets tied to the war. Our new blog shares examples of how the conflict in Iran is accelerating cyber espionage across the Middle East.

🔗: https://brnw.ch/21x0EJ8

Iran-aligned #TA453 ( #CharmingKitten #APT42 ) recently attempted credential phishing against a U.S. thinktank, continuing its longstanding intelligence collection efforts. At the same time, multiple state-sponsored actors, including groups suspected to be linked to China, Belarus, Pakistan, and Hamas, are targeting Middle Eastern government entities using conflict-themed lures, often sent from compromised government or diplomatic accounts.

This reflects both opportunistic social engineering and a broader shift in intelligence collection priorities driven by the conflict.

View the full blog to see campaign examples observed by our researchers. We will continue monitoring the landscape and keep our customers and community informed as the situation evolves.

Be sure to catch Daniel's presentation, "Welcome to the Endgame," alongside co-presenter Europol during #RSAC 2026.

🗓️ Wednesday, March 25
🕣 8:30 a.m. - 9:20 a.m.
⭐️ Session code FRP-W01

🚨 A major cybercriminal player, Tycoon 2FA, has been disrupted by law enforcement and private sector partners, including Microsoft, Europol, Proofpoint, Cloudflare, and TrendAI.

See our blog for details on the takedown of the popular phishing-as-a-service (PhaaS) platform announced today. https://brnw.ch/21x0s5G

⚠️ #Tycoon2FA is the highest volume adversary-in-the-middle (AiTM) phishing threat observed in our email data. Its disruption and the associated lawsuit filed by Microsoft and Health-ISAC will have a significant impact on the threat landscape.

We were proud to extend our human- and agent-centric security mission to assist in this investigation. Our vast threat telemetry enabled us to share unique insight into Tycoon 2FA activity and campaign data.

This Valentine’s Day invite came with a payload no one asked for. 💔 As February 14th nears, Proofpoint researchers warn of malicious Valentine’s Day-themed lures and threats.

⚠️ The screenshot below is of an actual lure recently sent from a compromised account.

This example, which was observed and blocked by our team, leveraged legitimate remote monitoring and management (RMM) as a first-stage payload. RMM attacks can result in data collection, financial theft, lateral movement, and the installation of follow-on malware, including ransomware.

Cybercriminals will always attempt to capitalize on current events, and Valentine’s Day is no exception. Such lures are designed to appear as legitimate emails from trusted sources, increasing the likelihood that a target clicks or engages. 💌

Proofpoint recommends that organizations:

• Train users to identify and report suspicious activity

• Restrict the download/installation of any unapproved RMM tooling

• Ensure networks detections alert on any activity to RMM servers