{"id":230934,"date":"2026-04-03T13:34:00","date_gmt":"2026-04-03T17:34:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/04\/03\/china-linked-ta416-targets-european-governments-with-plugx-and-oauth-based-phishing\/"},"modified":"2026-04-03T20:35:09","modified_gmt":"2026-04-04T00:35:09","slug":"china-linked-ta416-targets-european-governments-with-plugx-and-oauth-based-phishing","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/04\/03\/china-linked-ta416-targets-european-governments-with-plugx-and-oauth-based-phishing\/","title":{"rendered":"China-Linked TA416 Targets European Governments with PlugX and OAuth-Based Phishing"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/04\/china-linked-ta416-targets-european.html\">China-Linked TA416 Targets European Governments with PlugX and OAuth-Based Phishing<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/04\/china-linked-ta416-targets-european.html\">https:\/\/thehackernews.com\/2026\/04\/china-linked-ta416-targets-european.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-04-03 13:34:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p>A China-aligned threat actor has set its sights on European government and diplomatic organizations since mid-2025,\u00a0following a two-year\u00a0period of minimal targeting in the\u00a0region.<\/p>\n<p>The campaign has been attributed\u00a0to <strong>TA416<\/strong>, a cluster of activity that overlaps with DarkPeony, RedDelta, Red Lich, SmugX, UNC6384, and Vertigo\u00a0Panda.<\/p>\n<p>&#8220;This TA416 activity included multiple waves of web bug and malware delivery campaigns against diplomatic missions to the European Union and NATO across a range of European countries,&#8221; Proofpoint researchers Mark Kelly and Georgi\u00a0Mladenov said.<\/p>\n<p>&#8220;Throughout this period, TA416 regularly altered its infection chain, including abusing Cloudflare Turnstile challenge pages, abusing OAuth redirects, and using C# project files, as well as frequently updating its custom PlugX\u00a0payload.&#8221;<\/p>\n<p>TA416 has also been observed orchestrating multiple campaigns aimed at diplomatic and government entities in the Middle East following the outbreak of the U.S.-Israel-Iran conflict in late February 2026. The\u00a0effort is likely an attempt to gather regional intelligence pertaining\u00a0to the conflict, the enterprise security company\u00a0added.<\/p>\n<p>It&#8217;s worth mentioning here that TA416 also shares historical technical overlaps with another cluster known\u00a0as Mustang\u00a0Panda (aka CerenaKeeper, Red Ishtar, and UNK_SteadySplit). The\u00a0two activity groups are collectively tracked under the monikers Earth Preta, Hive0154, HoneyMyte, Stately\u00a0Taurus, Temp.HEX, and Twill\u00a0Typhoon.\u00a0<\/p>\n<p>While\u00a0TA416&#8217;s attacks are characterized by the use of bespoke PlugX variants, the Mustang Panda cluster has repeatedly deployed tools like TONESHELL, PUBLOAD, and COOLCLIENT in recent attacks. What&#8217;s common to both of them is the use of DLL side-loading to launch the\u00a0malware.<\/p>\n<p>TA416&#8217;s renewed focus on European entities is\u00a0driven\u00a0a mix of web bug and malware delivery campaigns, with the threat actors using freemail sender accounts to conduct reconnaissance and deploy the PlugX backdoor via malicious&#8230;<\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/04\/china-linked-ta416-targets-european.html\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>China-Linked TA416 Targets European Governments with PlugX and OAuth-Based Phishing https:\/\/thehackernews.com\/2026\/04\/china-linked-ta416-targets-european.html Publish Date: 2026-04-03 13:34:00&#8230;<\/p>\n","protected":false},"author":1,"featured_media":230935,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgi-dKCldJqtZI1CocMVxHNKusU5tcnMKjx7mzG9EfehvGacnTy4tsTfZLMfhyphenhyphenC5W210OxrxijBNAP8UumXAZH15ZSOM4x8xb9VTIHxN1HCouzROU0pn7sCJki9zJOkk9_8SRns73KxO1KvxUY4YgKGbbme6ZcKdbt4cqSHUkG5WQQPgDDTx_OLRbms35Dv\/s1600\/chinese-hackers.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[32,25,34],"class_list":["post-230934","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-malware","tag-phishing","tag-threat-actor"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/230934"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=230934"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/230934\/revisions"}],"predecessor-version":[{"id":230936,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/230934\/revisions\/230936"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/230935"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=230934"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=230934"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=230934"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}