The China-aligned threat actor TA416 has renewed its targeting of European and Middle Eastern government and diplomatic organizations from mid-2025 through early 2026, according to the Proofpoint threat research team.
TA416 is believed to overlap with several other tracked threat clusters, including RedDelta, Red Lich, Vertigo Panda, SmugX, and DarkPeony.
After a relative lull in European operations between mid-2023 and mid-2025, during which the group focused primarily on Southeast Asia, Taiwan, and Mongolia, TA416 has once again shifted its focus on diplomatic missions connected to the European Union and NATO. The renewed efforts coincided with rising geopolitical tensions, including trade disputes, the Russia–Ukraine war, and disagreements over rare earth exports, and began shortly after the 25th EU–China summit.
Proofpoint researchers observed multiple waves of activity, including both reconnaissance and malware delivery campaigns. TA416 used tracking pixels embedded in phishing emails, to determine whether targets had opened messages, enabling precise follow-up attacks. The emails often came from Gmail accounts or compromised diplomatic mailboxes and featured topical lures, such as European military deployments.
Malware campaigns involved links to malicious archives hosted across platforms including Microsoft Azure, Google Drive, and compromised SharePoint environments. The payloads deployed a customized version of the PlugX backdoor using DLL sideloading techniques long associated with the group.
In March 2026, TA416 expanded its operations beyond Europe, targeting diplomatic and government entities in the Middle East in the weeks following the outbreak of conflict in Iran. This marks a notable shift for the group, which had not traditionally focused on the region, likely in effort to gather intelligence on the evolving conflict.
While some of TA416’s techniques, tactics and procedures remained unchanged, Proofpoint observed the group modifying its infection chains, including the use of fake Cloudflare Turnstile verification pages, abuse of OAuth redirects via Microsoft Entra ID applications, and the deployment of malicious C# project files. Multi-stage infection chains, which involved ZIP smuggling, LNK files, and encrypted payloads, ultimately led to the deployment of the PlugX malware.
“While Proofpoint has not observed the use of these fake Cloudflare Turnstile pages in our telemetry since November 2025, submissions to third-party malware repositories in January 2026 suggest the group is continuing to use this technique selectively,” the report notes.