Chinese TA416 Hackers Resume Espionage Campaigns Against European Governments
Chinese state-backed group TA416 (Mustang Panda) has resumed targeted espionage campaigns against European governments after a lull since 2023, using web bugs, spoofed Cloudflare pages, OAuth redirects, and C# project files to deliver the PlugX backdoor.
Chinese state-backed threat group TA416, widely known as Mustang Panda, has reemerged with a fresh wave of cyber espionage campaigns targeting European governments after a period of relative quiet since 2023. Proofpoint researchers detected the renewed activity from mid-2025 through early 2026, with a focus on EU and NATO diplomatic missions across multiple European countries. The group, which has historically targeted government and diplomatic entities globally, adapted its tactics repeatedly to evade detection while maintaining a consistent goal of deploying its custom PlugX backdoor.
The campaigns employed a diverse range of initial access techniques that evolved over time. From September 2025 to January 2026, TA416 used spoofed Cloudflare Turnstile challenge pages that gated access to ZIP archives containing malicious payloads. Between December 2025 and January 2026, the group abused Microsoft Entra ID third-party applications to redirect users to attacker-controlled malware delivery domains. Starting in February 2026, the group shifted to using archives containing a renamed Microsoft MSBuild executable and malicious C# project files. In each case, TA416 relied on ZIP smuggling using Microsoft shortcut (LNK) files or CSPROJ-based downloaders to deliver a triad of a signed executable, malicious DLL, and encrypted payload that ultimately loaded PlugX into memory via DLL sideloading.
The espionage campaigns also included broad web bug operations, where tiny invisible objects embedded in emails triggered HTTP requests when opened would trigger an HTTP request to the attacker's server, revealing the recipient's IP address, user agent, and access time. These web bugs allowed the threat actor to assess whether emails were opened by intended targets. The lures used themes such as Europe sending troops to Greenland, demonstrating the group's effort to craft contextually relevant phishing narratives. Malware delivery campaigns used both attacker-controlled freemail accounts and compromised government and diplomatic mailboxes, sending links to malicious archives hosted on Microsoft Azure Blob Storage, actor-controlled domains, Google Drive, and compromised SharePoint instances.
In March 2026, following the outbreak of conflict involving Iran, Proofpoint observed TA416 expand its targeting to include diplomatic and government entities in the Middle East. This expansion suggests the group can rapidly pivot its operational focus based on geopolitical developments. The infrastructure employed by TA416 in these campaigns relied on re-registered, formerly legitimate domains for command-and-control (C2) communication, malware delivery, and web bugs, often using domains within days of re-registration to bypass reputation-based defenses. The group also leveraged virtual private server providers Evoxt Enterprise, XNNET LLC, and Kaopu Cloud HK Limited, and used the Cloudflare Content Delivery Network to obscure backend hosting IP addresses.
The relationship between TA416 and the broader Mustang Panda cluster remains complex. Proofpoint tracks Mustang Panda under two primary clusters: TA416 and a second group designated UNK_SteadySplit. Prior research by Trend Micro identified technical overlaps between the two, including a TONESHELL C2 IP address embedded in a filepath within LNK files used in TA416 campaigns, suggesting organizational or personnel links. However, Proofpoint noted that no similar connections have been observed in recent campaigns, leaving the exact nature of the relationship unclear. The group operates under numerous aliases including Vertigo Panda, RedDelta, Red Lich, UNC6384, SmugX, DarkPeony, Twill Typhoon, Temp.HEX, Earth Preta, Stately Taurus, HoneyMyte, and Hive0154.
This resurgence of TA416 activity highlights the persistent threat posed by Chinese state-sponsored espionage groups to European diplomatic and government targets. The group's repeated adaptation of infection chains — moving from Cloudflare Turnstile spoofing to OAuth abuse to C# project files — demonstrates a sophisticated threat actor committed to evolving its tradecraft to maintain operational effectiveness. Organizations within EU and NATO diplomatic missions should review Proofpoint's indicators of compromise and implement monitoring for the web bug technique, OAuth application abuse, and DLL sideloading vectors detailed in the April 1 report.