A China-aligned threat actor has resumed targeting European government and diplomatic organizations after a two-year period of relative inactivity in the region.
The activity has been attributed to TA416, a threat cluster also known by names such as DarkPeony, RedDelta, Red Lich, SmugX, UNC6384, and Vertigo Panda. Researchers note significant technical overlap with another group commonly called Mustang Panda.
According to Proofpoint, TA416 launched multiple waves of attacks against diplomatic missions to the European Union and NATO across several European countries. The campaigns combined web bugs (tracking pixels) for reconnaissance with malware delivery, frequently changing their infection chains to stay ahead of defenses.
The group has shown a clear willingness to iterate on its tactics.Recent identifiable techniques are as follows:
1. Misuse of Cloudflare Turnstile challenge webpages
2. Take advantage of OAuth redirects
3. Use of malicious C# project files against genuine MSBuild executables
4. Constantly modifying the modified version of the PlugX backdoor
In early 2026, as the US-Israel-Iran conflict progressed, TA416 also broadened their targeting of diplomatic/government entities in the Middle East to obtain intelligence from that area.
Attack Methods
Initial contact can be made with TA416 through Phishing emails from a free email account, and these emails will typically include a web bug to confirm that a targeted individual has opened the email. Microsoft Azure Blob Storage, Google Drive, an attacker-controlled domain, or a compromised SharePoint instance is used to deliver malicious archives.
In December 2025, the group took advantage of using Microsoft Entra ID OAuth redirecting to bypass email and web browser protections. By February 2026, the group had shifted to using Google Drive or Links to compromised SharePoint to deliver archives that contained a legitimate MSBuild executable bundled with a malicious C# project file. When the C# project file is executed, it will act as a downloader (i.e. the initial stage of an attack) by pulling down a DLL triad used to side-load the PlugX backdoor onto the system.
The PlugX backdoor is primarily used by this group. It can be executed by five main activity codes (system reconnaissance, payload execution, reverse shell access, self-uninstallation, etc.). The PlugX malware can also perform various anti-analytical checks and create an encrypted connection back to its command-and-control server.
Connection to Mustang Panda
TA416 has a long history of sharing technical overlaps with the Mustang Panda (also known as Earth Preta and Hive0154). While TA416's method of using custom versions of PlugX are different than those observed with the Mustang Panda (which use tools such as TONESHELL, PUBLOAD, and COOLCLIENT), both groups support the use of REGISTRY, INF, INI or DLL side-loading techniques.
According to analysts at Proofpoint, the renewed interest of TA416 in Europe before subsequently switching focus to the Middle East demonstrates a clear realignment of intelligence priorities that are driven by current geopolitical events.
Key Takeaway
This campaign illustrates not only the long-term strategic patience exhibited by groups affiliated with China that abound in adaptability toward the use of various tools and methods for delivery of those tools that respond to changes in the world around them but also utilization of living-off-the-land techniques and trusted platforms such as OAuth, MSBuild, and cloud storage, make detection that much more difficult.
Government, diplomatic, and other sectors similar in nature should implement the following recommendations:
1. Exercise greater caution when reviewing unsolicited emails containing links or attachments.
2. Watch for unusual activity related to OAuth redirects.
3. Use proper email security tools and implement user training programs regarding email safety and security.
4. Periodically review logs from end points for potential evidence of the presence of PlugX or other types of backdoors.
The resurgence of TA416 in Europe and expansion into the Middle East demonstrate the necessity of maintaining constant vigilance against sophisticated cyber evidence of motivations based on geopolitical considerations.
Source: The Hacker News
