A China-aligned advanced persistent threat (APT) group, tracked as TA416, has resumed a significant cyber espionage campaign targeting European government and diplomatic entities. After a notable two-year lull in focused activity within the region, the group initiated a new wave of attacks starting in mid-2025. Security researchers attribute this campaign to TA416, a cluster of activity with known overlaps to other tracked threat actors, including DarkPeony, RedDelta, Red Lich, SmugX, UNC6384, and Vertigo Panda. This resurgence indicates a strategic shift and a renewed focus on gathering intelligence from European political and diplomatic circles.
The campaign employs a multi-faceted infection chain, beginning with highly targeted spear-phishing emails. These emails are designed to appear legitimate, often impersonating trusted entities or individuals to trick recipients into clicking malicious links. The initial compromise leverages a sophisticated OAuth-based phishing technique. Attackers create malicious Azure applications that request high-level permissions. When a victim is tricked into authorizing this app, the attackers gain persistent access to the victim's Microsoft 365 account without needing to steal or manage passwords directly, bypassing traditional multi-factor authentication (MFA) protections. This method provides a stealthy and persistent foothold within the target's cloud environment.
Following initial access, TA416 deploys the PlugX remote access trojan (RAT), a modular malware family with a long history of use by Chinese state-sponsored groups. PlugX provides attackers with full remote control over compromised systems, enabling data theft, surveillance, and lateral movement within networks. The use of PlugX, combined with the OAuth phishing vector, demonstrates a blend of traditional, proven malware with modern, cloud-centric attack techniques. This hybrid approach maximizes the chances of successful, undetected intrusion.
The targeting of European governmental and diplomatic organizations suggests the campaign's primary objective is intelligence collection. The stolen data could include sensitive political communications, policy documents, and diplomatic cables, providing valuable insight into European Union decision-making, foreign policy stances, and international negotiations. Cybersecurity firms and national CERTs (Computer Emergency Response Teams) are urging targeted sectors to enhance vigilance, implement strict application consent policies in OAuth/OAuth 2.0 environments, conduct user awareness training on advanced phishing tactics, and monitor for anomalous application activity within their cloud tenants.
