The Chinese state-backed threat group TA416 has returned to Europe’s cyber threat landscape after a prolonged lull, bringing with it a more refined and evasive espionage playbook.
Security researchers at Proofpoint say the group resumed activity around mid-2025, zeroing in on European government bodies and diplomatic organizations, including entities linked to the EU and NATO.
Proofpoint notes that the attacks commenced just a day after the 25th EU-China summit.
There has been a recent uptick in China-linked activity targeting Europe, especially campaigns targeting critical infrastructure. Just last week, Chinese hacking groups published more than 350GB of data stolen from the European Commission on the dark web. Another China-affiliated threat actor has been found hiding deep inside telecom networks across Europe.
But unlike the data dumps and loud infrastructure compromises dominating recent headlines, TA416's renewed operations show a different kind of sophistication. According to Proofpoint's analysis, the group now favors methodical reconnaissance and adaptive infection chains that make detection far more difficult.
Smarter infection chain
Instead of jumping straight into malware delivery, TA416 now takes a slower, more deliberate approach. The attackers send benign-looking emails embedded with tracking pixels, quietly confirming which targets are active and engaged before escalating further.
Once a target shows interest, TA416 moves quickly. The group delivers malicious payloads through cloud-hosted archives and compromised email accounts, leaning heavily on trusted platforms such as Microsoft Azure, Google Drive, and SharePoint to host or distribute content.
TA416’s updated toolkit shows a clear evolution in both delivery and evasion. Instead of relying on a fixed attack path, researchers observed the group rotating its infection chain frequently, making it harder for defenders to detect patterns or block attacks at scale.
For instance, during this observed period, TA416 kept reshaping its infection chain. In some cases, victims encounter Cloudflare Turnstile verification pages, usually used to filter out bots, while in others, the group abused OAuth redirects. This tactic helped the campaign stay unpredictable.
The final stage typically involves sideloading variants of the PlugX backdoor, a long-favored tool in China-linked espionage operations. TA416 deploys the malware using custom loaders built with MSBuild and C#.
What stands out is the group’s willingness to experiment. Researchers observed multiple variations in the infection chain, suggesting that TA416 actively tests different combinations of delivery and evasion techniques to determine which work best against modern defenses.
Additionally, in the wake of the Iran conflict in March 2026, Proofpoint has observed TA416 launching several campaigns targeting a broad set of government and diplomatic entities across the Middle East, a region it has rarely focused on in the past.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked