216.73.217.139

TA416 resumes European government espionage campaigns

· Published 07/04/2026 13:11 · Modified 07/04/2026 11:26

Export JSON

Essential information

Published
07/04/2026 13:11
Modified
07/04/2026 11:26
Source / Author
AlienVault
Confidence
100/100
Report type(s)
threat-report
Labels / Tags
cloudflare turnstile korplug plugx ta416 toneshell
Tags
2026-04-07 cloudflare turnstile korplug plugx ta416 toneshell
Related entities
168 indicators, 168 observables, 2 intrusion sets (apt), 5 malware, 89 others

Description

Since mid-2025, China-aligned threat actor has resumed targeting European government and diplomatic organizations after a two-year operational shift to Southeast Asia. The campaigns primarily focused on diplomatic missions to the EU and NATO, using web bug reconnaissance and malware delivery through compromised accounts and attacker-controlled infrastructure. In March 2026, expanded operations to Middle Eastern diplomatic entities following the Iran conflict outbreak. Throughout this period, the actor continuously evolved infection chains, utilizing fake pages, OAuth redirect abuse, and C# project files to deliver a customized backdoor via DLL sideloading. The group employed both broad reconnaissance campaigns and targeted malware delivery, demonstrating sophisticated tradecraft including use of re-registered legitimate domains and cloud infrastructure for command and control operations.

External references