Key Takeaway
Since mid-2025, the China-aligned threat actor TA416 has resumed targeting European government and diplomatic organizations after a two-year lull. The group employs spear-phishing, exploits Microsoft Office vulnerabilities, and uses multi-stage malware to conduct espionage. Detection and defense require patch management, email filtering, and endpoint monitoring.
Since mid-2025, the China-aligned threat actor TA416 has resumed targeting European government and diplomatic entities after a two-year lull. TA416 is a known cluster of activity linked to multiple aliases including DarkPeony, RedDelta, Red Lich, SmugX, UNC6384, and Vertigo Panda. These groups have been historically associated with Chinese state-sponsored espionage operations.
The campaign employs advanced persistent threat tactics, techniques, and procedures (TTPs) such as spear-phishing emails with malicious attachments, exploitation of public-facing vulnerabilities, and deployment of custom malware loaders. TA416 exploits CVE-2022-30190 (Follina) against Microsoft Support Diagnostic Tool (MSDT) and CVE-2021-40444 vulnerabilities in Microsoft Office components to gain initial access into targeted networks.
Once inside, the group uses credential dumping tools like Mimikatz and employs lateral movement techniques leveraging Windows Management Instrumentation (WMI) and Remote Desktop Protocol (RDP) to escalate privileges and maintain persistence. The group deploys custom backdoors including PlugX and ShadowPad to exfiltrate sensitive information.
The campaign primarily targets European diplomatic missions, government ministries, and related international organizations, focusing on geopolitical intelligence gathering. Indicators of compromise (IOCs) include IP addresses associated with command-and-control (C2) infrastructure located in China and Southeast Asia, domain names mimicking legitimate government sites, and file hashes linked to previously documented TA416 malware variants.
The objective of this campaign is consistent with espionage goals—acquiring confidential diplomatic communications and policy-related data that benefit Chinese strategic interests. The resurgence after a period of reduced activity suggests a recalibration of priorities or opportunity exploitation tied to evolving geopolitical events.
Detection recommendations include monitoring for exploitation attempts of CVE-2022-30190 and CVE-2021-40444, analyzing network traffic for unusual connections to known TA416 C2 servers, and deploying Endpoint Detection and Response (EDR) tools with signatures for PlugX and ShadowPad malware. Microsoft Defender for Endpoint and CrowdStrike Falcon offer detection capabilities for these TTPs. Regular patching of Microsoft Office and Windows systems mitigates exploitation risks.
Defensive measures should also emphasize restricting RDP usage, enforcing multi-factor authentication (MFA), and conducting phishing awareness training. Network segmentation limits lateral movement, while proactive threat hunting for TA416 IOCs enables early incident response.
This campaign underscores the persistent targeting of European government sectors by Chinese APT groups employing sophisticated tradecraft and evolving exploitation techniques.
Related:
Original Source
The Hacker News
Related Articles
Coruna iOS Exploit Kit: US-Origin iPhone Hacking Toolkit Now Deployed by Russian Intelligence
Google Threat Intelligence identified Coruna, a sophisticated iOS exploit kit leveraging 23 vulnerabilities across five complete exploit chains to silently install malware via drive-by web delivery. Former L3Harris Trenchant employees confirmed the toolkit originated within the US defense contractor's offensive cyber division before being sold to Russian intelligence, which has deployed it against targets in Ukraine. Organizations should enforce iOS Lockdown Mode on high-risk devices, deploy mobile threat defense tooling, and immediately ingest Google's published IOCs.
TeamPCP Conducts Targeted Attacks on DevSec Tools and AI Libraries
TeamPCP has orchestrated targeted supply chain attacks against developer security tools such as Trivy, Checkmarx's KICS, VS Code plug-ins, and the LiteLLM AI library. These attacks aim to compromise software development environments, enabling espionage and data theft. Security teams should enhance supply chain protections, apply timely patches, and monitor for indicators of compromise related to TeamPCP activity.
UNC1069 North Korean APT Executes Targeted Social Engineering to Compromise Axios NPM Package
North Korean APT group UNC1069 targeted the Axios npm package via a tailored social engineering attack against its maintainer. The campaign aimed to insert malicious code into this critical open-source library, posing risks to global software supply chains. Detection methods include MFA, cryptographic signing, and vigilant monitoring of package updates.
Third-Party Resellers Undermine Government Efforts to Restrict Spyware Distribution
A recent study reveals that third-party resellers and brokers undermine government restrictions on spyware distribution by exploiting opaque supply chains and enabling continued proliferation. This activity complicates detection, attribution, and enforcement efforts, highlighting the need for enhanced supply chain risk management and international regulatory cooperation.