TA416 returned to European diplomatic networks in mid-2025, ending a two-year period of minimal regional activity, and has since run multiple waves of phishing and malware delivery campaigns against diplomatic missions to the European Union and NATO across a range of European countries.
The group, which overlaps with clusters tracked as DarkPeony, RedDelta, SmugX, UNC6384, and Vertigo Panda, did not simply resume old methods. It kept changing them.
Proofpoint researchers Mark Kelly and Georgi Mladenov documented how TA416 rotated through fake Cloudflare Turnstile challenge pages, OAuth redirect abuse, and C# project files delivered via MSBuild, all while regularly updating its custom PlugX payload.
The delivery infrastructure shifted between Microsoft Azure Blob Storage, Google Drive, attacker-controlled domains, and compromised SharePoint instances. Initial reconnaissance was conducted using freemail sender accounts embedding web bugs, tiny invisible tracking objects that reveal a recipient's IP address, user agent, and time of access when the email is opened.
A Legitimate Authorization Endpoint, Repurposed
The December 2025 attack wave introduced a technique that blends into normal enterprise workflows with uncomfortable precision. Phishing emails carried links to Microsoft's own OAuth authorization endpoint. When a recipient clicked, the redirect chain passed through a third-party Microsoft Entra ID cloud application before landing on an attacker-controlled domain, where PlugX was waiting.
Microsoft flagged the same technique the following month, warning that phishing campaigns targeting government and public-sector organizations were using OAuth URL redirection to bypass conventional email and browser defenses.
By February 2026, the delivery method had shifted again. Archives hosted on Google Drive or compromised SharePoint instances now contained a legitimate Microsoft MSBuild executable alongside a malicious C# project file. MSBuild, when run, automatically searches the current directory for a project file and builds it.
Mark Kelly and Georgi Mladenov, Proofpoint Threat Research: "In the observed TA416 activity, the CSPROJ file acts as a downloader, decoding three Base64-encoded URLs to fetch a DLL side-loading triad from a TA416-controlled domain, saving them to the user's temp directory, and executing a legitimate executable to load PlugX via the group's typical DLL side-loading chain."
What PlugX Does Once Inside
The backdoor, consistent across all TA416 intrusions though updated regularly, establishes an encrypted communication channel with its command-and-control server only after performing anti-analysis checks. It accepts five commands: capturing system information, uninstalling itself, adjusting its beaconing interval, downloading and executing a new payload in EXE, DLL, or DAT format, and opening a reverse command shell.
The legitimate signed executables abused for DLL side-loading have varied over time. The core mechanism has not.
Targeting Follows Geopolitical Events
TA416's renewed focus on European entities follows two years concentrated on Southeast Asia and Mongolia. Proofpoint assessed the return as consistent with a renewed intelligence-collection focus against EU and NATO-affiliated diplomacy entities.
The group also began targeting diplomatic and government entities in the Middle East following the outbreak of the U.S.-Israel-Iran conflict in late February 2026. Proofpoint described the effort as likely aimed at gathering regional intelligence pertaining to the conflict.
Separately, Darktrace's review of Chinese-nexus attack campaigns between July 2022 and September 2025 found that U.S.-based organizations accounted for 22.5% of all global events, followed by Italy, Spain, Germany, Thailand, the United Kingdom, Panama, Colombia, the Philippines, and Hong Kong. A majority of cases, 63%, involved exploitation of internet-facing infrastructure for initial access. In one case Darktrace documented, an actor had fully compromised an environment and established persistence, then resurfaced more than 600 days later.
Proofpoint's report does not identify which specific diplomatic missions were compromised or the volume of data accessed, leaving open the question of how much intelligence TA416 collected during the mid-2025 to early 2026 campaign period.