CyberWire Daily - The spy who logged me in. [Research Saturday]
Episode Date: May 9, 2026Mark Kelly, Staff Threat Researcher at Proofpoint, is discussing their work on "I’d come running back to EU again: TA416 resumes European government espionage campaigns." China-linked threat group T...A416 has resumed large-scale phishing and malware campaigns targeting European governments, diplomatic missions tied to the EU and NATO, and more recently Middle Eastern entities following the outbreak of conflict in Iran. The group has continually evolved its tactics between mid-2025 and early 2026, using techniques like fake Cloudflare verification pages, Microsoft OAuth redirect abuse, and malicious C# project files to deliver customized PlugX malware through spearphishing campaigns. Researchers say the renewed activity reflects shifting geopolitical priorities tied to EU-China tensions, the Russia-Ukraine war, and instability in the Middle East, while highlighting TA416’s ongoing focus on intelligence gathering against diplomatic networks. The research and executive brief can be found here: I’d come running back to EU again: TA416 resumes European government espionage campaigns Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyberwire Network, powered by N2K.
And now a word from our sponsor, the Center for Cyber Health and Hazard Strategies,
also known as CHS.
Looking for a graduate degree that will give you an edge on your professional career?
Earn a Master of Science in Law at University of Maryland Carey School of Law.
This part-time two-year online graduate degree program is designed for experienced professionals
to understand laws and policies that impact your industry.
Learn from CHS faculty, who are experts in their field.
No GRE required.
Learn how you can master the law without a JD at law.u-maryland.edu.
Hello, everyone, and welcome to the CyberWires Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities, solving some of the heart.
problems and protecting ourselves in our rapidly evolving cyberspace. Thanks for joining us.
So, T8416 is a China-aligned, espionized threat actor that ProPoint has been kind of
regularly keeping track of for quite a while. The impetus for this research is we did see
some pretty interesting activity from this red actor since around July of last year, where we saw a
significant shift in their targeting. And we've continued to see
some interesting evolutions in their tactics over this period as well. That's Mark Kelly,
threat researcher at ProofPoint. The research we're discussing today is titled,
I'd Come Running Back to EU Again. TA416 resumes European government espionage campaigns.
Well, the research says that this group largely stepped back from Europe for a while,
but then, as you say, that changed in mid-20205. What signal that they were coming back?
That's right. So if we kind of...
kind of cast our mind back a little bit further. This group used to be very active within Europe,
particularly within the kind of 2021 to 2023 timeframe. And this coincided with the original
invasion of Ukraine by Russia. And we assessed at the time that this was kind of an effort to
gather intelligence regarding diplomatic networks within Europe in relation to the war.
However, as you said, since around mid-2020, for about two years, we saw very little of
the threat actor within the region.
But then in mid-20205, we saw them kind of come back quite consistently to the region.
And this kind of coincided with, well, it kind of first started immediately after these
China-EU summit in July 2025, where we saw multiple campaigns from this group.
And it's kind of continued since then.
Well, when you say they've resumed targeting European
diplomatic organizations, what does that actually look like in practice?
What does it seem as though they're after here?
I think this group is kind of what we would call a more traditional espionage threat actors.
So they're looking at kind of foreign policy.
They're looking at targeting embassies, Ministry of Foreign Affairs and so on.
So really looking to kind of understand diplomatic networks and what's going on within other
countries, particularly when it's of interest to the Chinese government.
I see.
Well, can you walk us through the campaign kind of step by step?
How does someone find themselves in the sites of this group?
Yes, so we've kind of seen two primary types of campaigns from the threat actor.
The first is a more kind of fact-finding or reconnaissance-type campaign
where we see the group delivering what are known as tracking pixels.
And these are essentially tiny, tiny images that are embedded within an email.
And then when the target opens them, it will kind of send,
signal to the threat actor that, oh, the email has been opened.
This user is kind of engaging with the material on sending them, and that can signal to them
that they can essentially use that as a piece of information to target that individual again
with malware, so kind of more stepping up the game a little bit and actually trying to gain
access to that individual or that organization.
So we saw multiple waves of these tracking pixel emails from this for an actor.
And then in addition to this, we've also said.
seen quite a lot of malware delivery from the group. So actually trying to gain remote access
into these particular individuals and these particular organizations via multiple different
kinds of methods and different initial infectious vectors. And one of the things you highlighted
was that you saw fishing coming from compromised diplomatic mailboxes. And I suppose that tactic
is especially effective against government targets. That's right. And that's kind of something that
is pretty consistent with this red actor.
They use government and diplomatic accounts
that they have kind of previously compromised to stage
and conduct new campaigns.
So from a target perspective,
you're obviously going to be a lot more trusting
of someone you have previously engaged with
or someone who is a kind of trusted government account
who is sending you an email versus like a random kind of Gmail account
that you've never heard of before.
So it makes it a lot more kind of authentic
and believable from a target's perspective.
To what degree does this appear to be highly targeted,
or is it more broad reconnaissance?
It's highly targeted in the fact that it's specifically going after
specific kind of countries,
it's specifically going after Ministry of Foreign Affairs
from an espionage perspective.
So from our kind of vantage point,
that is a pretty targeted campaign
and a pretty targeted threat actor,
and that kind of aligns with what we typically see from Svinaj groups
who obviously have a kind of predetermined or hierarchical kind of tasking
in terms of what they're supposed to be gathering intelligence on,
and that is typically reflected in that group's targeting.
So they do tend to be kind of fairly selective in who they target.
The research highlights that you've seen them shifting towards some Middle Eastern targets
after this current outbreak and conflict in Iran.
What does this tell us about organizations like this and their ability to pivot and respond to geopolitical events?
That's right.
Yes, so about a week or so following the commencement of the conflict, we did see multiple campaign from this group from compromised embassies within the Middle East,
sent to other embassies within that region.
And that is not an area we had traditionally or historically seen targeted.
by this threat actor. So we did assess that that is likely kind of driven by the conflict and by
a desire to gather additional intelligence, both on the conflict, as well as the kind of
geopolitical ramifications within that region. And that is something that is kind of historically
typical for this threat actor. So I already mentioned them pivoting to Europe, following the
Russia-Ukraine war, and then kind of pivoting back to Europe, following those kind of mid-2020
25 talks. So this is definitely a group that seems to be tasked to look at or kind of shift or at least expand
their targeting when certain geopolitical events occur that are important to the Chinese government.
One of the themes in the research is the evolving technical trade craft here, that TA416, they keep
changing their infection chain. Can you dig into that for us?
That's right, yes. So it's quite interesting because we see some things change quite significantly and quite frequently from this group and that other things tend to say static or tend to stay kind of relatively similar over long periods of time.
And some of the things that we've seen changing has in particularly being the early parts of the infection chain.
So what is within the fishing email and what kind of comes immediately after the fishing email tends to change pretty frequently.
and over the last kind of seven or eight months we've seen three primary initial infection vectors
from the group. The first was a, whether they were using fake capture pages. So they were
pretending to be like a normal cloud flare, verify you're a human type website. But actually when
you kind of verify yourself, it downloads some malware onto your machine. The second, we've actually
seen them abusing Microsoft login redirects. And this is a pretty interesting.
technique where they are able to kind of include a legitimate Microsoft sign-in URL within
the phishing email, so it looks kind of pretty legitimate to a target. But what is actually
going on in the background is that they have registered a third-party application, so anyone
can kind of go ahead and do that. And they have crafted it in such a way that it causes a redirect
from via that application to the threat actors' actual own infrastructure, where again you kind
end up downloading a malware. And those have been the two kind of primary infection vectors we've
seen from the group. And there's been kind of one error that we saw once or twice back in February,
but seems to have kind of been phased out again. Despite all these changes, you point out that
the campaigns still lead back to PlugX. Can you, first of all, describe what that is for folks
who may not be familiar? And why do we think this is so persistent in their toolkit?
That's right. Yes. So despite all of these changes, we tend to see these ultimately delivering a custom backdoor known as PlugX. So this is a Mauir family that's been around for a long, long time now. It's Chinese in origin. It's been used by a lot of different China-aligned threat actors over the kind of past decade or so, really. But the interesting thing about TA416 is that they have kind of adopted it but customized it to,
such an extent that it's kind of pretty much
unrecognizable from the standard
plug X of years ago.
So they do continually
kind of tweak it and adapt
it and so on. And in terms of what
it allows them to do, it's essentially a
remote access Trojan so
they can
use it to remotely control the computer,
steal information, open a command
shell and download files and
Xaltray files and so on. So pretty standard
kind of commands within
the actual payload.
We'll be right back.
Well, this being 2026 and us being where we are these days,
you note possible signs of large language model assistance
and some of the components here, what in particular stood out.
That's right.
So this was particularly evident within the third Invection Vector
that I kind of briefly mentioned earlier that we saw for a short period of time.
they were using a particular kind of fairly unusual file format called C-sharp project files,
and these are basically used by software developers to help them compile code,
but T416 was essentially abusing this to download Plug X.
But within those C-sharp project files, they appear to be pretty clearly LLM generated,
so we saw the inclusion of comments that no...
normal malware developer would include that was kind of describing what it was doing.
And there was also kind of variations between different samples, different scripts that we saw that was saying, like one would say, oh, this is the URL with the new endpoint.
This is the URL revised again and that kind of thing.
So clearly kind of being iteratively changed likely via kind of a large language model.
Yeah, that's interesting.
Now, let's talk about this Mustang Panda question.
I think there's quite often confusion around the Mustang Panda label when it comes to attribution.
Where does TA416 fit within that ecosystem of related groups?
That's right.
Yes.
So the joys of aliases within threat intelligence, I'm sure, is not lost on your listeners.
and it can be kind of confusing sometimes,
but from a vendor perspective
and from someone who actually tracks
and kind of uses our own telemetry
to track these groups,
we all have different visibility
in terms of what they look like
and kind of how we cluster them together.
And from our perspective,
what is often referred to as Mustang Panda publicly
for us is two distinct groups,
well, predominantly two distinct groups.
So T416 is one of those groups.
So we mostly see them.
again targeting European, Southeast Asian diplomats, government using plug-X and so on.
And then there is another cluster that we assess is likely distinct just based on using very
different techniques, different targeting, different malware.
And we do track them separately.
I would kind of note that some other organizations track it as a single group and there is some
indication that there may be some sort of organizational link between the two.
But from our perspective, from a behavioral standpoint,
they kind of look completely different, and there's no way for us to reconcile that as being the same threat actor from our vantage point.
So that's why we kind of cluster them separately.
I see.
Looking at the bigger picture here, some of the implications of an operation like this,
TA416's focus on the EU and NATO-link diplomacy, the renewed focus on them.
What does this suggest about where Beijing stands right now in terms of their intelligence priorities?
Yes, I think it's kind of indicative of a renewed focus on government organizations within Europe.
It did seem to kind of coincide with this EU-China summit that happened back in July, as I mentioned,
and we didn't really see a whole lot of them before that.
And then since then we've seen quite a lot of them.
So that seems to be the kind of correlation.
But again, it's hard to pinpoint exactly what is led to.
to the shift back to Europe.
The Middle East one was kind of a lot more obvious and straight cut, I think,
given we'd never seen them there before.
And then we were suddenly seeing them there right after the conflict began.
So I think we can be a lot more confident in terms of our assessment,
in terms of the rationale for the group shift and targeting then.
But Europe is a little bit more.
We kind of had to put our thinking hands on a little bit more for that one, I think.
Do you suppose that organizations should interpret this activity as
more opportunistic surveillance, or do we suspect this is something more strategic and possibly
sustained? I would expect this to be sustained. I mean, this is a threat actor that's been around
for a long time now. They do shift targeting, as I mentioned, over time. But there has been some
consistency. So I haven't really mentioned the group's activity in Asia, but they are basically
kind of consistently active within Southeast Asia over probably a decade at this point, so a very long
periods of time. And so it's not a group that's going to go away anytime soon. They do not target
people opportunistically. So it is typically kind of purposeful. And they are doing it for a reason,
likely based on some kind of tasking they are having from whoever they work for within the
Chinese government. So there is definitely kind of methodical rationale for what they do.
I see. Well, let's talk about some of the practical takeaways here for the defenders in our
audience, what are your recommendations? What can they do to protect themselves against a threat like
this? Yes, so I think starting from the email level and going on to the kind of more
malware components, from the email level, it's kind of your standard recommendations around
educating users on the risks of executing kind of code and clicking links that are potentially
suspicious. Obviously, in this case, if they're using kind of compromised senders and linking to Microsoft infrastructure, it's probably unfair to expect a general user to be able to recognize that as fishing against them. But from kind of more technical controls, even though they do change these earlier standpoints, if kind of defenders can focus more on what comes later. So the actual malware has been pretty,
standard. They tend to use
Microsoft shortcut files which are
pretty
kind of
common at the moment from a lot
of different different factors but
are detectable
and are something that you can kind of
build detections for.
Similarly, looking at
the actual malware being
loaded so they tend to use
specific techniques, particularly
things like DLL side loading, which is
a way that they can load their mouth.
and then looking at, again, the kind of network perspective.
So once the malware is loaded on the computer,
it's going to try and reach out to command control infrastructure.
So proactively trying to track that infrastructure
or engaging with organizations that are able to do that
and ensuring that if you do see networks or computers within your network
trying to contact that command control infrastructure that you're alerted,
and you can kind of remediate it.
mediated. So lots of different kind of steps there that defenders can take, I think, based on
the different aspects of the infection chain.
All right. Well, Mark, I think I have everything I need for our story here. Is there anything I missed?
Anything I haven't asked you that you think it's important to share?
One of the things that is interesting is their infrastructure choices and the way they
expire by expire legitimate domain. So oftentimes they will use.
a formerly legitimate company that has gone out of business or for some reason let their domain
expire. They will then buy that and use that for command and control for their malware families
or for hosting tracking pixels within emails. And this is an interesting kind of choice because
these tend to have higher reputation than if they were to just purchase a kind of new domain
that's never been around before.
And it also makes it a little bit harder to kind of detect their activity.
And they also hide these domains behind the Cloudflare counter distribution network.
Again, to kind of obscure where their servers are.
And that is something that's really developed over the last few years.
And they've clearly kind of put a little bit of effort into trying to make their infrastructure
harder to track.
And the other interesting thing there is they usually put fake websites on those C2 domains as well.
So if you were to visit them, it would just look like a kind of generic website, but in actual fact, it's a kind of domain that they own and that they use for C2.
So that was one more kind of interesting thing that I've seen from this group.
How do you rate their sophistication?
I would say they're not necessarily the top end of sophistication, but they are very persistent and creative.
And they're also willing to kind of consistently change and adapt their approach, even if the kind of core objective and TTPs do remain consistent.
over time. So there's definitely a group to keep an eye on and be wary of, particularly if
you're within that kind of target set of theirs. So particularly embassies, diplomatic
organizations and so on, should definitely be very aware of this group.
Our thanks to Mark Kelly from ProofPoint for joining us. The research is titled,
I'd come running back to EU again. TA416 resumes European Government Esperance,
campaigns. We'll have a link in the show notes. And that is Research Saturday, brought to you by
N2K Cyberwire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the
insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our
show, please share a rating and review in your favorite podcast app. Please also fill out the survey
in the show notes or send an email to Cyberwire at N2K.com. This episode was produced by Liz Stokes. We're
by Elliot Peltzman and Trey Hester.
Our executive producer is Jennifer Ibin.
Peter Kilpe is our publisher, and I'm Dave Bittner.
Thanks for listening.
We'll see you back here next time.