Since mid-2025, **TA416**, a threat actor aligned with China, has been actively targeting European government and diplomatic organizations after a two-year period of relative inactivity in the region. This activity overlaps with other known clusters, including DarkPeony, RedDelta, Red Lich, SmugX, UNC6384, and Vertigo Panda. **European Espionage Campaign** Researchers at **Proofpoint**, Mark Kelly and Georgi Mladenov, reported that **TA416** has launched multiple waves of web bug and malware delivery campaigns against diplomatic missions to the European Union and NATO across various European countries. The group has consistently adapted its infection chain, utilizing techniques such as abusing **Cloudflare** Turnstile challenge pages, exploiting OAuth redirects, and employing C# project files. Frequent updates to its custom **PlugX** payload have also been observed. **Middle East Targeting** Following the escalation of the U.S.-Israel-Iran conflict in late February 2026, **TA416** has also orchestrated campaigns targeting diplomatic and government entities in the Middle East, likely in an effort to gather regional intelligence related to the conflict. **Connections to Mustang Panda** **TA416** shares historical technical overlaps with **Mustang Panda** (aka CerenaKeeper, Red Ishtar, and UNK_SteadySplit). These two activity groups are collectively tracked under various monikers, including Earth Preta, Hive0154, HoneyMyte, Stately Taurus, Temp.HEX, and Twill Typhoon. While **TA416** primarily uses bespoke **PlugX** variants, **Mustang Panda** has been observed deploying tools like TONESHELL, PUBLOAD, and COOLCLIENT in recent attacks. A common tactic used by both groups is DLL side-loading to launch malware. **Infection Techniques** **TA416's** renewed focus on European entities involves a combination of web bug and malware delivery campaigns. The threat actors use freemail sender accounts for reconnaissance and deploy the **PlugX** backdoor via malicious archives hosted on **Microsoft Azure** Blob Storage, **Google Drive**, attacker-controlled domains, and compromised **SharePoint** instances. Previous **PlugX** malware campaigns were documented by **StrikeReady** and **Arctic Wolf** in October 2025. Web bugs, or tracking pixels, are tiny, invisible objects embedded in emails that trigger an HTTP request to a remote server when opened. This reveals the recipient's IP address, user agent, and time of access, allowing the attacker to assess whether the email was opened by the intended target. Attacks observed in December 2025 leveraged third-party **Microsoft Entra ID** cloud applications to initiate redirects that lead to the download of malicious archives. Phishing emails contained links to **Microsoft's** legitimate OAuth authorization endpoint, which, when clicked, redirects the user to an attacker-controlled domain and ultimately deploys **PlugX**.  **OAuth Redirect Abuse** **Microsoft** has warned of phishing campaigns targeting government and public-sector organizations that employ OAuth URL redirection mechanisms to bypass conventional phishing defenses in email and browsers. **MSBuild Exploitation** In February 2026, **TA416** began linking to archives hosted on **Google Drive** or compromised **SharePoint** instances. These archives include a legitimate **Microsoft MSBuild** executable and a malicious C# project file. When the **MSBuild** executable is run, it searches the current directory for a project file and automatically builds it. In **TA416's** activity, the CSPROJ file acts as a downloader, decoding three Base64-encoded URLs to fetch a DLL side-loading triad from a **TA416**-controlled domain, saving them to the user's temp directory, and executing a legitimate executable to load **PlugX** via DLL side-loading. **PlugX Analysis** The **PlugX** malware remains a consistent element throughout **TA416's** intrusions. The signed executables abused for DLL side-loading have varied over time. The backdoor establishes an encrypted communication channel with its command-and-control (C2) server after performing anti-analysis checks to evade detection. **PlugX Command Set** **PlugX** accepts the following commands: * **0x00000002**: Capture system information * **0x00001005**: Uninstall the malware * **0x00001007**: Adjust beaconing interval and timeout parameter * **0x00003004**: Download a new payload (EXE, DLL, or DAT) and execute it * **0x00007002**: Open a reverse command shell **Geopolitical Influence** **Proofpoint** notes that **TA416's** shift back to European government targeting in mid-2025, after focusing on Southeast Asia and Mongolia for two years, indicates a renewed intelligence-collection focus against EU and NATO-affiliated diplomacy entities. The expansion to Middle Eastern government targeting in March 2026 further highlights how the group’s tasking prioritization is influenced by geopolitical flashpoints and escalations. The group has demonstrated a willingness to iterate on infection chains, cycling through fake **Cloudflare** Turnstile pages, OAuth redirect abuse, and **MSBuild**-based delivery, while continuously updating its customized **PlugX** backdoor. **Chinese Cyber Operations Evolving** **Darktrace** revealed that Chinese-nexus cyber operations have evolved from strategically-aligned activity in the 2010s to highly adaptive, identity-centric intrusions aimed at establishing long-term persistence within critical infrastructure networks. Based on a review of attack campaigns between July 2022 and September 2025, U.S.-based organizations accounted for 22.5% of all global events, followed by Italy, Spain, Germany, Thailand, the U.K., Panama, Colombia, the Philippines, and Hong Kong. A majority of cases (63%) involved the exploitation of internet-facing infrastructure (e.g., **CVE-2025-31324** and **CVE-2025-0994**) to gain initial access. In one case, the actor had fully compromised the environment and established persistence, only to resurface more than 600 days later. This operational pause underscores the depth of the intrusion and the actor’s long-term strategic intent, according to **Darktrace**.