INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).

Cyberespionage Campaigns by European and Chinese Hackers

| 2026-04-01 14:31 CRITICAL HIGH
JSON
Executive Summary AI-generated
The surge in cyberattacks targeting European government entities has escalated, with the Chinese cyberespionage group TA416 shifting its focus back to the continent after years of focusing on other parts of the world. The group's return to European government targeting occurred during heightened EU-China tensions over trade and conflicts such as Ukraine-Russia war and rare earths exports. TA416 had previously been spotted in Europe, but stepped away from the continent afterward. Its renewed focus has led to a variety of web bug and malware delivery methods, including reconnaissance by dangling lures about troops being sent to Greenland, phishing emails about humanitarian concerns, interview requests and collaboration proposals, and targeted attacks on diplomatic missions and delegations to NATO and the EU.
Technical Mitigations AI-generated
* Use a reputable antivirus software and keep it up to date to prevent malware infections. * Implement a firewall on your computer or network to block unauthorized access from external sources. * Regularly update operating system, browser, and other software versions to ensure you have the latest security patches. * Use strong passwords and enable multi-factor authentication (MFA) whenever possible to add an extra layer of security for sensitive information.
Technical Observables
AI Podcast (EN) detail_available
detail_listen_ai (EN)
Intelligence distributed on:
Incident Link
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
Mustang PandaMustang Panda TONESHELLTONESHELLPlugXPlugX
Target & Sectors
NORTH_AMERICA NORTH_AMERICA APAC APAC EUROPE EUROPE MIDDLE_EAST MIDDLE_EAST
Incident Timeline
‎mid-2025
Threat actors used China's state-backed hacking groups to target European diplomatic missions.
organisation EU
Proofpoint researchers detected the group’s renewed activity in mid-2025, with multiple malware delivery campaigns targeting EU and NATO diplomatic missions across a range of European countries.
organisation NATO
Proofpoint researchers detected the group’s renewed activity in mid-2025, with multiple malware delivery campaigns targeting EU and NATO diplomatic missions across a range of European countries.
target_region EUROPE
The surge began in mid-2025, with a bevy of issues bubbling up between China and Europe, the company said .
source_region China
The surge began in mid-2025, with a bevy of issues bubbling up between China and Europe, the company said .
‎September 2025
Threat actors used spear phishing to gain initial access into compromised systems.
‎October 2025
Mustang Panda used Arctic Wolf to target Belgian and Hungarian diplomats in October 2025.
threat_actor Mustang Panda
In October 2025, Arctic Wolf reported about a cyber espionage campaign targeting Belgian and Hungarian diplomats that it attributed to Mustang Panda .
tactic Espionage
In October 2025, Arctic Wolf reported about a cyber espionage campaign targeting Belgian and Hungarian diplomats that it attributed to Mustang Panda .
source_region Belgium
In October 2025, Arctic Wolf reported about a cyber espionage campaign targeting Belgian and Hungarian diplomats that it attributed to Mustang Panda .
source_region Hungary
In October 2025, Arctic Wolf reported about a cyber espionage campaign targeting Belgian and Hungarian diplomats that it attributed to Mustang Panda .
‎December 2025
Threat actors used spoofed Cloudflare Turnstile challenge pages to gain unauthorized access to ZIP archives.
‎January 2026
Threat actors used spoofed Cloudflare Turnstile challenge pages to gain access to ZIP archives.
‎February 2026
Microsoft's TA416 exploit was used to target users of its Entra ID third-party applications.
organisation Microsoft
TA416 abused Microsoft Entra ID third‑party applications that redirected users to attacker-controlled malware delivery domains From February 2026:
‎March 2026
Threat actors used Proofpoint's software to target Iranian diplomatic and government entities in the Middle East.
target_region Iran, Islamic Republic of
In March 2026, Proofpoint also observed in the weeks following the outbreak of conflict in Iran TA416 expand its targets to include diplomatic and government entities in the Middle East.
target_region MIDDLE_EAST
In March 2026, Proofpoint also observed in the weeks following the outbreak of conflict in Iran TA416 expand its targets to include diplomatic and government entities in the Middle East.
‎mid-2025 to early 2026
TA416 launched broad web bug and malware delivery campaigns in Europe from mid-2025 to early 2026.
target_region EUROPE
Europe-Focused Espionage Campaigns From mid-2025 to early 2026, Proofpoint researchers said TA416 conducted both "broad web bug" and malware delivery campaigns.
tactic Espionage
Europe-Focused Espionage Campaigns From mid-2025 to early 2026, Proofpoint researchers said TA416 conducted both "broad web bug" and malware delivery campaigns.
‎April 1
TA416 exploited vulnerabilities in Cloudflare Turnstile challenge pages to target its victims.
organisation Cloudflare Turnstile
TA416 regularly altered its infection chain, including abusing Cloudflare Turnstile challenge pages, abusing OAuth redirects and using C# project files, as well as frequently updating its custom PlugX payload, noted the Proofpoint researchers in an April 1 report .
organisation OAuth
TA416 regularly altered its infection chain, including abusing Cloudflare Turnstile challenge pages, abusing OAuth redirects and using C# project files, as well as frequently updating its custom PlugX payload, noted the Proofpoint researchers in an April 1 report .
malware PlugX
TA416 regularly altered its infection chain, including abusing Cloudflare Turnstile challenge pages, abusing OAuth redirects and using C# project files, as well as frequently updating its custom PlugX payload, noted the Proofpoint researchers in an April 1 report .
‎2025-2026
Threat actors used a previously unknown vulnerability in the TA416 network to gain unauthorized access to sensitive data of Chinese state-owned enterprises.
‎2026/04/01
Mustang Panda launched a fresh wave of cyber espionage campaigns against European governments.
threat_actor Mustang Panda
According to MITRE ATT&CK , Mustang Panda was first discovered in 2012 and has been targeting government, diplomatic and non-governmental organizations, including think tanks, religious institutions and research entities, across the US, Europe and Asia , with notable activity in Russia, Mongolia, Myanmar, Pakistan and Vietnam.
TA416 or Mustang Panda?
TA416 is the codename attributed to a Chinese-backed advance persistent threat (APT) group also know by many names, the most common is Mustang Panda .
However, Proofpoint researchers track Mustang Panda under two primary clusters:
Proofpoint also highlighted those other aliases for Mustang Panda, including Twill Typhoon, Temp.
Proofpoint labels the government-linked group TA416, but other companies track it as Twill Typhoon, Mustang Panda or other names.
organisation APT
TA416 is the codename attributed to a Chinese-backed advance persistent threat (APT) group also know by many names, the most common is Mustang Panda .
organisation Twill Typhoon
Proofpoint also highlighted those other aliases for Mustang Panda, including Twill Typhoon, Temp.
organisation Chinese Hackers Target European Governments
Chinese Hackers Target European Governments in Espionage Campaigns.
organisation EU
“This renewed focus most heavily targeted individuals or mailboxes associated with diplomatic missions and delegations to NATO and the EU,” Proofpoint’s Mark Kelly and Georgi Mladenov wrote.
organisation NATO
“This renewed focus most heavily targeted individuals or mailboxes associated with diplomatic missions and delegations to NATO and the EU,” Proofpoint’s Mark Kelly and Georgi Mladenov wrote.
organisation DLL
TA416 repeatedly altered its initial infection chains while maintaining a consistent goal of loading the group's customized PlugX backdoor via DLL sideloading triads.
“During this period, TA416 repeatedly altered its initial infection chains while maintaining a consistent goal of loading the group’s customized PlugX backdoor via DLL sideloading triads,” the researchers wrote.
organisation LNK
Campaigns shifted to using archives containing a renamed Microsoft MSBuild executable and malicious C# project files In each case, TA416 relied on either ZIP smuggling using Microsoft shortcut (LNK) files or CSPROJ-based downloaders to deliver a signed executable, malicious DLL and encrypted payload triad that ultimately loaded PlugX into memory.
organisation IP
According to the researchers, web bugs, also known as ‘tracking pixel,’ refer to tiny invisible objects embedded in an email that triggers an HTTP request to a remote server when opened, revealing the recipient's IP address, user agent.
organisation RedDelta
TA416 (aka Vertigo Panda, RedDelta, Red Lich, UNC6384, SmugX, DarkPeony) and a second group tracked under the temporary designator UNK_SteadySplit (aka CerenaKeeper, Red Ishtar).
organisation UNC6384
TA416 (aka Vertigo Panda, RedDelta, Red Lich, UNC6384, SmugX, DarkPeony) and a second group tracked under the temporary designator UNK_SteadySplit (aka CerenaKeeper, Red Ishtar).
organisation SmugX
TA416 (aka Vertigo Panda, RedDelta, Red Lich, UNC6384, SmugX, DarkPeony) and a second group tracked under the temporary designator UNK_SteadySplit (aka CerenaKeeper, Red Ishtar).
organisation DarkPeony
TA416 (aka Vertigo Panda, RedDelta, Red Lich, UNC6384, SmugX, DarkPeony) and a second group tracked under the temporary designator UNK_SteadySplit (aka CerenaKeeper, Red Ishtar).
organisation CerenaKeeper
TA416 (aka Vertigo Panda, RedDelta, Red Lich, UNC6384, SmugX, DarkPeony) and a second group tracked under the temporary designator UNK_SteadySplit (aka CerenaKeeper, Red Ishtar).
organisation Trend Micro
Prior research by Trend Micro had identified technical overlaps between TA416 and UNK_SteadySplit, most notably through a UNK_SteadySplit TONESHELL command-and-control (C2) IP address embedded in a filepath within two LNK files used in TA416 campaigns.
organisation Stately Taurus
HEX, Earth Preta, Stately Taurus, HoneyMyte and Hive0154, likely refer to campaigns where TA416 and UNK_SteadySplit were working together.
organisation HoneyMyte
HEX, Earth Preta, Stately Taurus, HoneyMyte and Hive0154, likely refer to campaigns where TA416 and UNK_SteadySplit were working together.
organisation TA416’s Infrastructure TA416
TA416’s Infrastructure TA416 uses a steady supply of re-registered, formerly legitimate domains for C2, malware delivery and web bugs, often first using domains within days after re-registering them, a tactic that allows the group to evade domain reputation-based security controls.
organisation VPS
Proofpoint noted that the 2025 and 2026 TA416 campaigns were leveraging virtual private server (VPS) providers Evoxt Enterprise (AS149440), XNNET LLC (AS6134) and Kaopu Cloud HK Limited (AS138915).
organisation Evoxt Enterprise
Proofpoint noted that the 2025 and 2026 TA416 campaigns were leveraging virtual private server (VPS) providers Evoxt Enterprise (AS149440), XNNET LLC (AS6134) and Kaopu Cloud HK Limited (AS138915).
organisation XNNET LLC
Proofpoint noted that the 2025 and 2026 TA416 campaigns were leveraging virtual private server (VPS) providers Evoxt Enterprise (AS149440), XNNET LLC (AS6134) and Kaopu Cloud HK Limited (AS138915).
organisation the Cloudflare Content Delivery Network
The group typically also uses the Cloudflare Content Delivery Network (CDN) to obscure backend hosting IP addresses used for malware delivery and C2 and deploys minimal fake websites on its C2 domains, likely to hinder signaturing and tracking efforts and to make these domains appear legitimate.
organisation CDN
The group typically also uses the Cloudflare Content Delivery Network (CDN) to obscure backend hosting IP addresses used for malware delivery and C2 and deploys minimal fake websites on its C2 domains, likely to hinder signaturing and tracking efforts and to make these domains appear legitimate.
organisation CyberScoop
Written by Tim Starks Tim Starks is senior reporter at CyberScoop.
organisation The Washington Post
His previous stops include working at The Washington Post, POLITICO and Congressional Quarterly.
organisation POLITICO
His previous stops include working at The Washington Post, POLITICO and Congressional Quarterly.
‎early 2026
Threat actors used a variety of web bug and malware delivery methods to target Europe, including setting up reconnaissance by dangling lures about troops being sent to Greenland.
target_region Greenland
The group’s focus on Europe through early 2026 used a variety of web bug and malware delivery methods, including setting up reconnaissance by dangling lures about Europe sending troops to Greenland.
tactic Reconnaissance
The group’s focus on Europe through early 2026 used a variety of web bug and malware delivery methods, including setting up reconnaissance by dangling lures about Europe sending troops to Greenland.
target_region EUROPE
The group’s focus on Europe through early 2026 used a variety of web bug and malware delivery methods, including setting up reconnaissance by dangling lures about Europe sending troops to Greenland.
Intelligence Sources
Infosecurity-Magazine 2026-04-01
CyberScoop 2026-04-01