A Chinese state-aligned threat actor has launched a renewed campaign against European government and diplomatic institutions, marking a significant shift after a two-year hiatus in regional targeting. The threat actor, tracked as TA416, has been actively pursuing sensitive government networks since mid-2025, employing sophisticated tactics to breach high-value targets across the continent.
Chinese State Actor Resumes European Targeting
TA416, also known by multiple aliases including DarkPeony, RedDelta, Red Lich, SmugX, UNC6384, and Vertigo Panda, represents a cluster of coordinated malicious activity with established links to Chinese cyber operations. The renewed focus on European entities indicates a strategic pivot toward diplomatic and governmental intelligence gathering in the region.
PlugX and OAuth Phishing Drive Network Breaches
The campaign leverages two primary attack vectors to compromise targets. First, TA416 deploys PlugX, a remote access trojan that provides attackers with extensive control over infected systems. PlugX has been a cornerstone tool in the threat actor's arsenal for years, enabling persistence and lateral movement within compromised networks. Second, the group employs OAuth-based phishing techniques designed to deceive government employees into surrendering legitimate credentials. This method exploits trust in recognized authentication systems, allowing attackers to bypass traditional security defenses and establish authenticated access to sensitive systems.
Intelligence Collection Targeting Diplomatic Networks
The timing of this campaign raises concerns about intelligence collection targeting European diplomatic initiatives, policy discussions, and governmental decision-making processes. The two-year lull in European targeting suggests this renewed activity represents a deliberate strategic choice rather than opportunistic exploitation.
Security Measures for Government Defense
Security researchers emphasize the importance of implementing multi-factor authentication and advanced email filtering to detect phishing attempts. Government agencies are advised to conduct immediate security assessments and review access logs for signs of compromise. The campaign underscores the persistent threat posed by well-resourced state-aligned threat actors capable of maintaining sophisticated, long-term operations against high-profile targets.