TA 416, the Chinese state-backed group also known as Mustang Panda, has reemerged with a renewed wave of espionage campaigns against European governments after a quiet period, with Proofpoint researchers detecting activity from mid-2025 and continuing into 2026.
The campaigns targeted EU and NATO diplomatic missions across several European countries, employing multiple infection-chain alterations and a range of techniques, including abusing Cloudflare Turnstile challenge pages, OAuth redirects, and updated PlugX payloads.
According to Proofpoint researchers, TA416’s malware delivery relied on both web bugs and malware delivery campaigns, using freemail and compromised government mailboxes to circulate links to malicious archives hosted on Microsoft Azure Blob Storage and other domains, and loading PlugX via DLL sideloading triads.
Initial access techniques shifted over time, from spoofed Cloudflare Turnstile pages gating ZIP archives in September 2025 to abuse of Microsoft Entra ID third‑party applications and, from February 2026, archives containing renamed Microsoft MSBuild executables and malicious C# project files, with attackers also exploiting ZIP smuggling using LNK files.
The campaigns maintained a consistent objective of loading the PlugX backdoor, and, in March 2026, expanded targets to diplomatic and government entities in the Middle East, according to MITRE ATT&CK and other findings.