A China-aligned threat actor has renewed focus on European government and diplomatic organisations since mid-2025, after a period of reduced targeting in the region. The campaign has been attributed to TA416, a cluster of activity that overlaps with several other groups, with Proofpoint researchers noting multiple waves of web bug and malware delivery against EU and NATO missions.
TA416 regularly altered its infection chain, including abusing Cloudflare Turnstile pages, OAuth redirects, and using C# project files, as well as updating its PlugX payload. Attacks used freemail sender accounts for reconnaissance and delivered the PlugX backdoor via archives hosted on Microsoft Azure Blob Storage, Google Drive, domains under TA416 control, and compromised SharePoint instances.
In December 2025, the group leveraged third-party Microsoft Entra ID cloud applications to initiate redirects to an attacker-controlled domain, where phishing links redirected to Microsoft's OAuth endpoint to deploy PlugX. The campaign’s renewed European focus follows earlier exploits and underscores TA416’s use of DLL side-loading and a modular delivery chain. according to Proofpoint