China-linked threat actor TA416 is conducting spearphishing campaigns targeting European and Middle Eastern government and diplomatic entities, using fake Cloudflare verification pages, Microsoft OAuth redirect abuse, and malicious C# project files to deliver customized PlugX malware. The group's tactics have evolved between mid-2025 and early 2026, with the renewed activity linked to shifting geopolitical tensions.
Podcasts Research Saturday Ep 424 Ep 424 | 5.9.26 The spy who logged me in. Show Notes Transcript Mark Kelly , Staff Threat Researcher at Proofpoint , is discussing their work on "I’d come running back to EU again: TA416 resumes European government espionage campaigns." China-linked threat group TA416 has resumed large-scale phishing and malware campaigns targeting European governments, diplomatic missions tied to the EU and NATO, and more recently Middle Eastern entities following the outbreak of conflict in Iran. The group has continually evolved its tactics between mid-2025 and early 2026, using techniques like fake Cloudflare verification pages, Microsoft OAuth redirect abuse, and malicious C# project files to deliver customized PlugX malware through spearphishing campaigns. Researchers say the renewed activity reflects shifting geopolitical priorities tied to EU-China tensions, the Russia-Ukraine war, and instability in the Middle East, while highlighting TA416’s ongoing focus on intelligence gathering against diplomatic networks. The research and executive brief can be found here: I’d come running back to EU again: TA416 resumes European government espionage campaigns