China-Linked TA416 Targets European Governments with PlugX and OAuth-Based Phishing

China-aligned threat actor TA416 has resumed targeting European government and diplomatic organizations since mid-2025, following a two-year period of reduced activity in the region. The campaign utilizes PlugX malware alongside OAuth-based phishing techniques for initial access and persistence. TA416 overlaps with multiple tracked threat clusters including DarkPeony, RedDelta, Red Lich, SmugX, UNC6384, and Vertigo Panda, indicating a sophisticated and persistent threat to government entities. Organizations are advised to enhance email security controls, implement multi-factor authentication, and monitor for OAuth token abuse to mitigate this threat.

A China-aligned threat actor has set its sights on European government and diplomatic organizations since mid-2025, following a two-year period of minimal targeting in the region. The campaign has been attributed to TA416, a cluster of activity that overlaps with DarkPeony, RedDelta, Red Lich, SmugX, UNC6384, and Vertigo Panda. "This TA416 activity included multiple

China-aligned threat actor TA416 has resumed targeting European government and diplomatic organizations since mid-2025, following a two-year period of reduced activity in the region. The campaign utilizes PlugX malware alongside OAuth-based phishing techniques for initial access and persistence. TA416 overlaps with multiple tracked threat clusters including DarkPeony, RedDelta, Red Lich, SmugX, UNC6384, and Vertigo Panda, indicating a sophisticated and persistent threat to government entities. Organizations are advised to enhance email security controls, implement multi-factor authentication, and monitor for OAuth token abuse to mitigate this threat. A China-aligned threat actor has set its sights on European government and diplomatic organizations since mid-2025, following a two-year period of minimal targeting in the region. The campaign has been attributed to TA416, a cluster of activity that overlaps with DarkPeony, RedDelta, Red Lich, SmugX, UNC6384, and Vertigo Panda. "This TA416 activity included multiple A China-aligned threat actor has set its sights on European government and diplomatic organizations since mid-2025, following a two-year period of minimal targeting in the region. The campaign has been attributed to TA416, a cluster of activity that overlaps with DarkPeony, RedDelta, Red Lich, SmugX, UNC6384, and Vertigo Panda. "This TA416 activity included multiple