Close Menu
    What's Hot

    Live Updates: Fed Chairman Speaks in Congress After Data Showing Inflation Cooled

    Inflation Slowed During Pause in War With Iran

    Trump escalates threats to free press in subpoenas to 5 New York Times reporters

    Facebook X (Twitter) Instagram
    Trending
    • Live Updates: Fed Chairman Speaks in Congress After Data Showing Inflation Cooled
    • Inflation Slowed During Pause in War With Iran
    • Trump escalates threats to free press in subpoenas to 5 New York Times reporters
    • ‘Piracy’: Will Trump’s 20 percent Hormuz toll find takers? | Conflict News
    • The Pentagon Needs $1.5 Trillion
    • Telegram’s shortlink domain is back online after day-long suspension
    • The Federal Reserve and Bank of England have a trust deficit
    • Live Updates: Inflation Slows on Lower Energy Prices
    interluknewsinterluknews
    • Home
    • Business
      • Corporate News
      • Industry Insights
      • Startups & Entrepreneurship
      • Technology & Innovation
    • Economy
      • Economic Policy
      • Financial Analysis
      • Inflation & Interest Rates
      • Trade & Markets
    • Global
      • Conflicts & Security
      • Diplomacy
      • Global Trends
      • International Affairs
    • Lifestyle
      • Fashion
      • Food & Dining
      • Personal Development
      • Travel
    • Opinion
      • Columns
      • Editorials
      • Expert Opinions
      • Reader Voices
    • More
      • Politics
        • Elections
        • Government & Policy
        • International Relations
        • Political Analysis
      • Sports
        • Cricket
        • Football / Soccer
        • International Sports
        • Local Sports
      • Technology
        • Artificial Intelligence
        • Cybersecurity
        • Gadgets & Reviews
        • Tech News
      • South Africa News
    Facebook X (Twitter) Instagram
    interluknewsinterluknews
    Cybersecurity

    China-Linked TA416 Targets European Governments with PlugX and OAuth-Based Phishing

    adminBy adminApril 3, 2026No Comments5 Mins Read
    Share Facebook Twitter Pinterest Copy Link Telegram LinkedIn Tumblr Email
    China-Linked TA416 Targets European Governments with PlugX and OAuth-Based Phishing
    Share
    Facebook Twitter LinkedIn Pinterest Email

    China-Linked TA416 Targets European Governments with PlugX and OAuth-Based Phishing

    A China-aligned threat actor has set its sights on European government and diplomatic organizations since mid-2025, following a two-year period of minimal targeting in the region.

    The campaign has been attributed to TA416, a cluster of activity that overlaps with DarkPeony, RedDelta, Red Lich, SmugX, UNC6384, and Vertigo Panda.

    “This TA416 activity included multiple waves of web bug and malware delivery campaigns against diplomatic missions to the European Union and NATO across a range of European countries,” Proofpoint researchers Mark Kelly and Georgi Mladenov said.

    “Throughout this period, TA416 regularly altered its infection chain, including abusing Cloudflare Turnstile challenge pages, abusing OAuth redirects, and using C# project files, as well as frequently updating its custom PlugX payload.”

    TA416 has also been observed orchestrating multiple campaigns aimed at diplomatic and government entities in the Middle East following the outbreak of the U.S.-Israel-Iran conflict in late February 2026. The effort is likely an attempt to gather regional intelligence pertaining to the conflict, the enterprise security company added.

    It’s worth mentioning here that TA416 also shares historical technical overlaps with another cluster known as Mustang Panda (aka CerenaKeeper, Red Ishtar, and UNK_SteadySplit). The two activity groups are collectively tracked under the monikers Earth Preta, Hive0154, HoneyMyte, Stately Taurus, Temp.HEX, and Twill Typhoon. 

    While TA416’s attacks are characterized by the use of bespoke PlugX variants, the Mustang Panda cluster has repeatedly deployed tools like TONESHELL, PUBLOAD, and COOLCLIENT in recent attacks. What’s common to both of them is the use of DLL side-loading to launch the malware.

    Cybersecurity

    TA416’s renewed focus on European entities is driven a mix of web bug and malware delivery campaigns, with the threat actors using freemail sender accounts to conduct reconnaissance and deploy the PlugX backdoor via malicious archives hosted on Microsoft Azure Blob Storage, Google Drive, domains under their control, and compromised SharePoint instances. The PlugX malware campaigns were previously documented by StrikeReady and Arctic Wolf in October 2025.

    “A web bug (or tracking pixel) is a tiny invisible object embedded in an email that triggers an HTTP request to a remote server when opened, revealing the recipient’s IP address, user agent, and time of access, allowing the threat actor to assess whether the email was opened by the intended target,” Proofpoint said.

    Attacks carried out by TA416 in December 2025 have been found to leverage third-party Microsoft Entra ID cloud applications to initiate redirects that lead to the download of malicious archives. Phishing emails used as part of this attack wave contain a link to Microsoft’s legitimate OAuth authorization endpoint that, when clicked, redirects the user to the attacker-controlled domain and ultimately deploys PlugX.

    The use of this technique has not escaped Microsoft’s notice, which last month warned of phishing campaigns targeting government and public-sector organizations that employ OAuth URL redirection mechanisms to bypass conventional phishing defenses implemented in email and browsers.

    Further refinements to the attack chain were observed in February 2026, when TA416 began linking to archives hosted on Google Drive or a compromised SharePoint instance. The downloaded archives, in this case, include a legitimate Microsoft MSBuild executable and a malicious C# project file.

    “When the MSBuild executable is run, it searches the current directory for a project file and automatically builds it,” the researchers said. “In the observed TA416 activity, the CSPROJ file acts as a downloader, decoding three Base64-encoded URLs to fetch a DLL side-loading triad from a TA416-controlled domain, saving them to the user’s temp directory, and executing a legitimate executable to load PlugX via the group’s typical DLL side-loading chain.”

    The PlugX malware remains a consistent presence throughout TA416’s intrusions, although the legitimate, signed executables abused for DLL side-loading have varied over time. The backdoor is also known to establish an encrypted communication channel with its command-and-control (C2) server, but not before performing anti-analysis checks to sidestep detection.

    PlugX accepts five different commands –

    • 0x00000002, to capture system information
    • 0x00001005, to uninstall the malware
    • 0x00001007, to adjust beaconing interval and timeout parameter
    • 0x00003004, to download a new payload (EXE, DLL, or DAT) and execute it
    • 0x00007002, to open a reverse command shell

    “TA416’s shift back to European government targeting in mid-2025, following two years of focus on Southeast Asia and Mongolia, is consistent with a renewed intelligence-collection focus against EU and NATO-affiliated diplomacy entities,” Proofpoint said.

    Cybersecurity

    “In addition, TA416’s expansion to Middle Eastern government targeting in March 2026 further highlights how the group’s tasking prioritization is likely influenced by geopolitical flashpoints and escalations. Throughout this period, the group has shown a willingness to iterate on infection chains, cycling through using fake Cloudflare Turnstile pages, OAuth redirect abuse, and MSBuild-based delivery, while continuing to update its customized PlugX backdoor.”

    The disclosure comes as Darktrace revealed that Chinese‑nexus cyber operations have evolved from strategically-aligned activity in the 2010s to highly adaptive, identity-centric intrusions with an intent to establish long-term persistence within critical infrastructure networks.

    Based on a review of attack campaigns between July 2022 and September 2025, U.S.-based organizations accounted for 22.5% of all global events, followed by Italy, Spain, Germany, Thailand, the U.K., Panama, Colombia, the Philippines, and Hong Kong. A majority of cases (63%) involved the exploitation of internet-facing infrastructure (e.g., CVE-2025-31324 and CVE-2025-0994) to obtain initial access.

    “In one notable case, the actor had fully compromised the environment and established persistence, only to resurface in the environment more than 600 days after,” Darktrace said. “The operational pause underscores both the depth of the intrusion and the actor’s long‑term strategic intent.”

    ChinaLinked European Governments OAuthBased Phishing PlugX TA416 targets
    Follow on Google News Follow on Flipboard
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
    Previous ArticleSalah leaves Liverpool after record-breaking career
    Next Article Anker’s small, five-port travel adapter is down to its best price yet
    admin
    • Website

    Related Posts

    11 Old Microsoft-Signed Linux UEFI Shims Could Let Attackers Bypass Secure Boot

    July 14, 2026

    U.S. Sanctions First VPN Service and Malware Cryptor Seller Over Ransomware Support

    July 14, 2026

    Grok Build Uploaded Entire Git Repositories to xAI Storage, Not Just Files It Read

    July 14, 2026
    Leave A Reply Cancel Reply

    Demo
    Latest Posts

    Live Updates: Fed Chairman Speaks in Congress After Data Showing Inflation Cooled

    Inflation Slowed During Pause in War With Iran

    Trump escalates threats to free press in subpoenas to 5 New York Times reporters

    ‘Piracy’: Will Trump’s 20 percent Hormuz toll find takers? | Conflict News

    Latest Posts

    Subscribe to News

    Get the latest sports news from NewsSite about world, sports and politics.

    Advertisement
    Demo

    We are a digital news platform delivering timely, accurate, and insightful coverage of politics, global affairs, business, economy, sports, and more. Our mission is to keep readers informed with reliable news, clear analysis, and stories that truly matter.
    We're social. Connect with us:

    Facebook X (Twitter) Instagram Pinterest YouTube

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Type above and press Enter to search. Press Esc to cancel.

    Powered by
    ...
    ►
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    ►
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    ►
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    ►
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    ►
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
    None
    Powered by