China-Linked TA416 Targets European Governments With PlugX and OAuth-Based Phishing

What happened

A China-linked threat cluster known as TA416 has been targeting European government and diplomatic organizations since mid-2025 through multiple waves of phishing and malware delivery campaigns. The activity focused on diplomatic missions connected to the European Union and NATO across several European countries. Researchers said the group used several evolving delivery methods, including web bugs, abuse of Cloudflare Turnstile challenge pages, OAuth redirect abuse, and malicious C# project files. The campaign consistently delivered variants of the PlugX backdoor. In one observed wave from December 2025, phishing emails used links to a legitimate Microsoft OAuth authorization endpoint that redirected targets to attacker-controlled infrastructure and then delivered malicious archives. Later activity in February 2026 used archives hosted on Google Drive or a compromised SharePoint instance. 

Who is affected

The direct exposure affects European government and diplomatic entities, particularly missions associated with the European Union and NATO. The report also said the same cluster expanded activity toward government and diplomatic targets in the Middle East following the outbreak of the U.S.-Israel-Iran conflict in late February 2026. 

Why CISOs should care

This matters because the campaign combines reconnaissance and malware delivery against high-value diplomatic targets while regularly changing the infection chain to improve delivery and evade defenses. The repeated use of PlugX, OAuth redirect abuse, freemail accounts, and trusted cloud hosting shows a deliberate effort to blend malicious activity into normal enterprise workflows and trusted services. 

3 practical actions

1. Review OAuth redirect exposure: Check whether phishing defenses and user guidance account for abuse of legitimate Microsoft OAuth endpoints that can redirect users to attacker-controlled infrastructure. 
2. Watch for DLL side-loading and MSBuild abuse: Hunt for suspicious use of MSBuild, malicious CSPROJ files, and DLL side-loading chains that could deliver PlugX on targeted systems. 
3. Treat diplomatic and government users as high-priority phishing targets: Tighten monitoring and response around freemail-based lures, tracking pixels, and archive downloads aimed at government and diplomatic staff. 

For more news about malware used in targeted espionage campaigns, click Malware to read more.