After a quiet period since 2023, Chinese state-backed group TA416 has reemerged with a vengeance, launching a fresh wave of cyber espionage campaigns against European governments.
Proofpoint researchers detected the group’s renewed activity in mid-2025, with multiple malware delivery campaigns targeting EU and NATO diplomatic missions across a range of European countries.
TA416 regularly altered its infection chain, including abusing Cloudflare Turnstile challenge pages, abusing OAuth redirects and using C# project files, as well as frequently updating its custom PlugX payload, noted the Proofpoint researchers in an April 1 report.
In March 2026, Proofpoint also observed in the weeks following the outbreak of conflict in Iran TA416 expand its targets to include diplomatic and government entities in the Middle East.
TA416 in 2025-2026: Europe-Focused Espionage Campaigns
From mid-2025 to early 2026, Proofpoint researchers said TA416 conducted both “broad web bug” and malware delivery campaigns.
According to the researchers, web bugs, also known as ‘tracking pixel,’ refer to tiny invisible objects embedded in an email that triggers an HTTP request to a remote server when opened, revealing the recipient’s IP address, user agent. and time of access. This allows the threat actor to assess whether the email was opened by the intended target.
The TA416 web bug campaigns used freemail sender accounts and a range of thematic lures, such as Europe sending troops to Greenland to perform delivery and engagement reconnaissance.
Malware delivery campaigns used both attacker-controlled freemail accounts and compromised government and diplomatic mailboxes to send links to malicious archives hosted on Microsoft Azure Blob Storage, actor-controlled domains, Google Drive and compromised SharePoint instances.
TA416 repeatedly altered its initial infection chains while maintaining a consistent goal of loading the group’s customized PlugX backdoor via DLL sideloading triads.
Initial access techniques changed over the course of the campaign, with several distinct approaches observed across different time periods:
- September 2025 – January 2026: The group used spoofed Cloudflare Turnstile challenge pages that gated access to ZIP archives
- December 2025 – January 2026: TA416 abused Microsoft Entra ID third‑party applications that redirected users to attacker-controlled malware delivery domains
- From February 2026: Campaigns shifted to using archives containing a renamed Microsoft MSBuild executable and malicious C# project files
In each case, TA416 relied on either ZIP smuggling using Microsoft shortcut (LNK) files or CSPROJ-based downloaders to deliver a signed executable, malicious DLL and encrypted payload triad that ultimately loaded PlugX into memory.
TA416 or Mustang Panda?
TA416 is the codename attributed to a Chinese-backed advance persistent threat (APT) group also know by many names, the most common is Mustang Panda.
According to MITRE ATT&CK, Mustang Panda was first discovered in 2012 and has been targeting government, diplomatic and non-governmental organizations, including think tanks, religious institutions and research entities, across the US, Europe and Asia, with notable activity in Russia, Mongolia, Myanmar, Pakistan and Vietnam.
However, Proofpoint researchers track Mustang Panda under two primary clusters: TA416 (aka Vertigo Panda, RedDelta, Red Lich, UNC6384, SmugX, DarkPeony) and a second group tracked under the temporary designator UNK_SteadySplit (aka CerenaKeeper, Red Ishtar).
Prior research by Trend Micro had identified technical overlaps between TA416 and UNK_SteadySplit, most notably through a UNK_SteadySplit TONESHELL command-and-control (C2) IP address embedded in a filepath within two LNK files used in TA416 campaigns.
The latest Proofpoint report suggested that these connections imply some form of organizational, personnel or hierarchical link between the two groups.
However, Proofpoint clarified that while such overlaps were documented in earlier operations, the nature of the relationship remains unclear and no similar connections have been observed in recent campaigns.
Proofpoint also highlighted those other aliases for Mustang Panda, including Twill Typhoon, Temp.HEX, Earth Preta, Stately Taurus, HoneyMyte and Hive0154, likely refer to campaigns where TA416 and UNK_SteadySplit were working together.
TA416’s Infrastructure
TA416 uses a steady supply of re-registered, formerly legitimate domains for C2, malware delivery and web bugs, often first using domains within days after re-registering them, a tactic that allows the group to evade domain reputation-based security controls.
Proofpoint noted that the 2025 and 2026 TA416 campaigns were leveraging virtual private server (VPS) providers Evoxt Enterprise (AS149440), XNNET LLC (AS6134) and Kaopu Cloud HK Limited (AS138915).
The group typically also uses the Cloudflare Content Delivery Network (CDN) to obscure backend hosting IP addresses used for malware delivery and C2 and deploys minimal fake websites on its C2 domains, likely to hinder signaturing and tracking efforts and to make these domains appear legitimate.
In October 2025, Arctic Wolf reported about a cyber espionage campaign targeting Belgian and Hungarian diplomats that it attributed to Mustang Panda.
