China-Linked TA416 Targets European Governments with PlugX and OAuth-Based Phishing
Summary
The China-aligned threat actor TA416 has resumed targeting European government and diplomatic organizations since mid-2025, employing PlugX malware and OAuth-based phishing. This campaign marks a significant shift after a two-year lull in their activity within the region.
IFF Assessment
The targeting of government entities with sophisticated malware and phishing techniques by a nation-state-backed actor poses a direct threat to national security and data integrity.
Defender Context
Defenders in European government and diplomatic sectors should be vigilant for advanced phishing attempts and be prepared to detect and respond to PlugX malware. Organizations should ensure robust endpoint detection and response capabilities, along with continuous monitoring for indicators of compromise associated with TA416 and its related clusters.