Summary

A China-aligned threat actor, TA416, has resumed its focus on European government and diplomatic entities since mid-2025. This marks a return after a two-year lull in activity in the region.

Key Points

• TA416 is associated with several other threat groups, including DarkPeony, RedDelta, Red Lich, SmugX, UNC6384, and Vertigo Panda.
• The campaign targets European government and diplomatic organizations, indicating a strategic focus on political entities.
• The attack methods include the use of PlugX malware and OAuth-based phishing techniques.
• The resurgence began in mid-2025, following a period of minimal activity in Europe.

Analysis

The re-emergence of TA416 targeting European governments underscores the persistent threat posed by state-sponsored actors. The use of sophisticated tools like PlugX and OAuth-based phishing highlights the evolving tactics of these groups. This campaign reflects a strategic interest in European political affairs, potentially aiming to gather sensitive information or disrupt governmental operations.

Conclusion

IT professionals should enhance monitoring for indicators of compromise related to TA416 and similar groups. Implementing robust phishing defenses and staying informed about evolving tactics are crucial to mitigating such threats.