China-aligned TA416 resumes spying on EU & Mideast

Proofpoint says China-aligned threat actor TA416 has resumed cyber espionage campaigns against European government and diplomatic organisations, later expanding its targeting to the Middle East after conflict broke out in Iran.

The renewed activity began in mid-2025, following what Proofpoint described as a period of reduced EU-focused operations in its telemetry.

TA416's European campaigns focused most heavily on individuals and mailboxes linked to diplomatic missions and delegations to NATO and the EU. The activity included multiple waves of web bug reconnaissance and malware delivery aimed at diplomatic missions across several European countries.

Proofpoint had previously observed a high tempo of operations against European government targets until mid-2023, before the group shifted attention away from the region. Between mid-2023 and mid-2025, only limited TA416 targeting in Europe was observed, with most activity instead directed at Southeast Asia, Taiwan and Mongolia.

Changing tactics

TA416 repeatedly changed its infection chain while keeping the same end goal: loading a customised PlugX backdoor through DLL sideloading. Over time, its methods evolved from fake Cloudflare Turnstile pages to abuse of OAuth redirects and then to the use of C# project files.

In the earlier stages, the actor used fake Cloudflare challenge pages to restrict access to ZIP archives. Later campaigns abused Microsoft Entra ID third-party applications that redirected users to attacker-controlled malware delivery domains.

The most recent infection chains used archives containing a renamed Microsoft MSBuild executable alongside malicious C# project files. In each case, delivery relied on either ZIP smuggling using Microsoft shortcut files or CSPROJ-based downloaders to retrieve a signed executable, a malicious DLL and an encrypted payload that loaded PlugX into memory.

The actor also used web bug campaigns to gather reconnaissance on intended targets. These emails, sent from freemail accounts and built around topical lures, contained hidden tracking elements that could reveal when a message was opened, the recipient's IP address and user agent, and the time of access.

According to Proofpoint, those web bug emails used themes such as Europe sending troops to Greenland. The approach allowed the group to assess whether a message had reached and engaged the intended target before moving to malware delivery.

Regional shift

In March 2026, the group widened its targeting to diplomatic and government entities in the Middle East, a region TA416 had not regularly targeted before.

Proofpoint linked that shift to the weeks after the outbreak of war in Iran. It said the move matched a wider pattern observed among some state-aligned threat actors, with attention turning towards Middle Eastern government and diplomatic organisations after the conflict began.

TA416 used both attacker-controlled freemail accounts and compromised government and diplomatic mailboxes in its malware delivery campaigns. The messages carried links to malicious archives hosted on Microsoft Azure Blob Storage, actor-controlled domains, Google Drive and compromised SharePoint instances.

The targeting comes amid wider geopolitical strains involving Europe and China. Proofpoint said the renewed focus on European government entities began after the 25th EU-China summit and during a period of tension over trade, the war in Ukraine and rare earth exports.

Proofpoint said TA416 most directly overlaps with public reporting on RedDelta, Red Lich, Vertigo Panda, SmugX and DarkPeony, placing the activity within a broader body of research tracking China-linked cyber operations against government and diplomatic targets.

No estimate was provided for the number of organisations or individuals affected. Instead, the report described a sustained pattern of espionage activity marked by regular changes in delivery techniques and continued use of a customised PlugX payload.

The campaigns targeted diplomatic missions and delegations to NATO and the EU across a range of European countries before extending to a broad set of diplomatic and government entities in the Middle East.