{"id":493,"date":"2026-04-03T18:28:35","date_gmt":"2026-04-03T18:28:35","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=493"},"modified":"2026-04-03T18:28:35","modified_gmt":"2026-04-03T18:28:35","slug":"china-linked-ta416-targets-european-governments-with-plugx-and-oauth-based-phishing","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=493","title":{"rendered":"China-Linked TA416 Targets European Governments with PlugX and OAuth-Based Phishing"},"content":{"rendered":"
\n
<\/a><\/div>\n

A China-aligned threat actor has set its sights on European government and diplomatic organizations since mid-2025,\u00a0following a two-year\u00a0period of minimal targeting in the\u00a0region.<\/p>\n

The campaign has been attributed\u00a0to TA416<\/strong>, a cluster of activity that overlaps with DarkPeony, RedDelta, Red Lich, SmugX, UNC6384, and Vertigo\u00a0Panda.<\/p>\n

\u00abThis TA416 activity included multiple waves of web bug and malware delivery campaigns against diplomatic missions to the European Union and NATO across a range of European countries,\u00bb Proofpoint researchers Mark Kelly and Georgi\u00a0Mladenov said<\/a>.<\/p>\n

\u00abThroughout this period, TA416 regularly altered its infection chain, including abusing Cloudflare Turnstile challenge pages, abusing OAuth redirects, and using C# project files, as well as frequently updating its custom PlugX\u00a0payload.\u00bb<\/p>\n

TA416 has also been observed orchestrating multiple campaigns aimed at diplomatic and government entities in the Middle East following the outbreak of the U.S.-Israel-Iran conflict in late February 2026. The\u00a0effort is likely an attempt to gather regional intelligence pertaining\u00a0to the conflict, the enterprise security company\u00a0added.<\/p>\n

It’s worth mentioning here that TA416 also shares historical technical overlaps with another cluster known\u00a0as Mustang\u00a0Panda (aka CerenaKeeper, Red Ishtar, and UNK_SteadySplit). The\u00a0two activity groups are collectively tracked under the monikers Earth Preta, Hive0154, HoneyMyte, Stately\u00a0Taurus, Temp.HEX, and Twill\u00a0Typhoon.\u00a0<\/p>\n

While\u00a0TA416’s attacks are characterized by the use of bespoke PlugX variants, the Mustang Panda cluster has repeatedly deployed tools like TONESHELL, PUBLOAD, and COOLCLIENT in recent attacks. What’s common to both of them is the use of DLL side-loading to launch the\u00a0malware.<\/p>\n

\n
\"Cybersecurity\"<\/a><\/div>\n<\/div>\n

TA416’s renewed focus on European entities is\u00a0driven\u00a0a mix of web bug and malware delivery campaigns, with the threat actors using freemail sender accounts to conduct reconnaissance and deploy the PlugX backdoor via malicious archives hosted on Microsoft Azure Blob Storage, Google Drive, domains under their control, and compromised SharePoint instances. The\u00a0PlugX malware campaigns were previously documented\u00a0by StrikeReady\u00a0and Arctic\u00a0Wolf in October\u00a02025.<\/p>\n

<\/p>\n

\u00abA web bug (or tracking pixel) is a tiny invisible object embedded in an email that triggers an HTTP request to a remote server when opened, revealing the recipient’s IP address, user agent, and time of access, allowing the threat actor to assess whether the email was opened by the intended target,\u00bb Proofpoint\u00a0said.<\/p>\n

Attacks carried out by TA416 in December 2025 have been found to leverage third-party Microsoft Entra ID cloud applications to initiate redirects that lead to the download of malicious archives. Phishing emails used as part of this attack wave contain a link to Microsoft’s legitimate OAuth<\/a> authorization endpoint that, when clicked, redirects the user to the attacker-controlled domain and ultimately deploys\u00a0PlugX.<\/p>\n

\"\"<\/a><\/div>\n

The\u00a0use of this technique has not escaped Microsoft’s notice, which last\u00a0month warned of phishing campaigns targeting government and public-sector organizations that employ OAuth URL redirection mechanisms to bypass conventional phishing defenses implemented in email and\u00a0browsers.<\/p>\n

Further refinements to the attack chain were observed in February 2026, when TA416 began linking to archives hosted on Google Drive or a compromised SharePoint instance. The\u00a0downloaded archives, in this case, include a legitimate Microsoft MSBuild executable and a malicious C# project\u00a0file.<\/p>\n

\u00abWhen the MSBuild executable is run, it searches the current directory for a project file and automatically builds it,\u00bb the researchers said. \u00abIn the observed TA416 activity, the CSPROJ file acts as a downloader, decoding three Base64-encoded URLs to fetch a DLL side-loading triad from a TA416-controlled domain, saving them to the user’s temp directory, and executing a legitimate executable to load PlugX via the group’s typical DLL side-loading\u00a0chain.\u00bb<\/p>\n

The\u00a0PlugX malware remains a consistent presence throughout TA416’s intrusions, although the legitimate, signed executables abused for DLL side-loading have varied over time. The\u00a0backdoor is also known to establish an encrypted communication channel with its command-and-control (C2) server, but not before performing anti-analysis checks to sidestep detection.<\/p>\n

PlugX\u00a0accepts five different commands\u00a0–<\/p>\n