Back

TA416 Resumes Cyber Espionage Against European Governments Amid Geopolitical Tensions

Severity: High (Score: 75.5)

Sources: Proofpoint, Cyberscoop, Infosecurity-Magazine

Summary

Chinese state-backed group TA416 has reemerged with intensified cyber espionage campaigns targeting European governments, following a quiet period since 2023. Proofpoint reported that the group's renewed activity began in mid-2025, coinciding with rising EU-China tensions and the ongoing Russia-Ukraine war. The campaigns primarily focus on diplomatic missions and NATO delegations, employing various malware delivery methods and web bug reconnaissance techniques. TA416 has utilized freemail accounts and compromised mailboxes to distribute malicious links, with a consistent goal of deploying the customized PlugX backdoor. In March 2026, following the outbreak of conflict in Iran, TA416 expanded its targeting to include Middle Eastern government entities. The group has altered its infection chains regularly, employing tactics such as abusing Cloudflare Turnstile challenge pages and using C# project files. This shift reflects a broader trend of state-aligned threat actors adjusting their focus in response to geopolitical events. The situation remains active as of April 1, 2026. Key Points: • TA416 has resumed cyber espionage against European governments after a two-year hiatus. • The group is using sophisticated malware delivery methods and web bug reconnaissance. • Recent campaigns have expanded to target Middle Eastern entities following the Iran conflict.

Key Entities

  • CerenaKeeper (apt_group)
  • DarkPeony (apt_group)
  • Earth Preta (apt_group)
  • Hive0154 (apt_group)
  • HoneyMyte (apt_group)
  • Malware (attack_type)
  • Phishing (attack_type)
  • China (country)
  • Iran (country)
  • Mongolia (country)
  • Taiwan (country)
  • Ukraine (country)
  • epc.copenhagen2025.dm (domain)
  • Government (industry)
  • PlugX (malware)
  • T1055 - Process Injection (mitre_attack)
  • T1059.001 - PowerShell (mitre_attack)
  • T1566.001 - Spearphishing Attachment (mitre_attack)
  • T1566.002 - Spearphishing Link (mitre_attack)
  • T1566 - Phishing (mitre_attack)
  • Azure (company)
  • Cloudflare CDN (platform)
  • Microsoft Azure Blob Storage (platform)
  • Microsoft Entra ID (platform)
  • SharePoint (platform)
  • Cloudflare Turnstile (tool)
  • Gmail (tool)
  • Google Drive (tool)
  • MSBuild (tool)
  • 4ed76fa68ef9e1a7705a849d47b3d9dcdf969e332bd5bcb68138579c288a16d3 (sha256)
  • 53086e3b557a1d21cf7f4ffc73d92c39b08872334a8cdb09dda0a06bd060cfe9 (sha256)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed