← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
TA416 resumes European government espionage campaigns
WHITE MUSTANG PANDA AlienVault 2026-04-07 Modified: 2026-04-07
256
IOCs
HIGH VOLUME
Since mid-2025, China-aligned threat actor TA416 has resumed targeting European government and diplomatic organizations after a two-year operational shift to Southeast Asia. The campaigns primarily focused on diplomatic missions to the EU and NATO, using web bug reconnaissance and malware delivery through compromised accounts and attacker-controlled infrastructure. In March 2026, TA416 expanded operations to Middle Eastern diplomatic entities following the Iran conflict outbreak. Throughout this period, the actor continuously evolved infection chains, utilizing fake Cloudflare Turnstile pages, OAuth redirect abuse, and C# project files to deliver a customized PlugX backdoor via DLL sideloading. The group employed both broad reconnaissance campaigns and targeted malware delivery, demonstrating sophisticated tradecraft including use of re-registered legitimate domains and cloud infrastructure for command and control operations.
toneshellcloudflare turnstilekorplugplugxTA416
MITRE ATT&CK & Malware Families
MALWARE FAMILIES
PlugX - S0013 Thoper TVT DestroyRAT Sogu Kaba Korplug TONESHELL PUBLOAD
Indicators of Compromise (44 / 256 total)
All FileHash-MD5 FileHash-SHA1 FileHash-SHA256 URL domain hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-SHA1 0252819a4960c56c28b3f3b27bf91218ffed223a 2026-04-07
FileHash-SHA1 0913be3e99bc53232db6c5213a578e999c70deb8 2026-04-07
FileHash-SHA1 0de54e53ea7eb2256608fd818a2733d67e1089f5 2026-04-07
FileHash-SHA1 0f203358170d69c2ca2995fdc8adb9d9a7f47d5a 2026-04-07
FileHash-SHA1 1039ae50b6274c01510df396d962579828f025bf 2026-04-07
FileHash-SHA1 1151100a0aa1ed88f7897709444fd3b3b1044c10 2026-04-07
FileHash-SHA1 15e9d47e34861fb6ebe27b5d683014ed4b49e39f 2026-04-07
FileHash-SHA1 1612f489f8a6b28cbc727b9489d5e972f3bce5de 2026-04-07
FileHash-SHA1 258d5d6cbdec6494415a09ffe707dd724d9535cd 2026-04-07
FileHash-SHA1 28f88998f2d99a579572d3641f7549e08147f471 2026-04-07
FileHash-SHA1 2989aa779d95c9e2d8cb3a65e2cb05203f0d562a 2026-04-07
FileHash-SHA1 2c16f2830aa36848ca61272c2e4305102bfad537 2026-04-07
FileHash-SHA1 39f6799543e18d9ebc68099e62a30f2e67913034 2026-04-07
FileHash-SHA1 3aa6baf0265b2789dae0548b5284d4158c8c256b 2026-04-07
FileHash-SHA1 43d6ddc2de9c01cdb5ef17ee4e3d88289fa51a23 2026-04-07
FileHash-SHA1 49e02aee84df430d7ae448d7cd722401f8a2c9f5 2026-04-07
FileHash-SHA1 596b582169f5d65c4791477a61099c03fbb63a41 2026-04-07
FileHash-SHA1 68932940cebf56bb2fe65e4cf53781a97579599a 2026-04-07
FileHash-SHA1 7552c901c68b9d57c7b6c29a34ff7cf4441b2047 2026-04-07
FileHash-SHA1 76e7ba416a8dda8e761c62ceb215ab9611ef5b6e 2026-04-07
FileHash-SHA1 7d5c92191b9857a708fdebc996cc6f10cf5ed7e4 2026-04-07
FileHash-SHA1 83f522a490b6851aa9b30c1ec63c576e1fc120e5 2026-04-07
FileHash-SHA1 88889d7a7ca00f7a4f4611b5c4db51a1f744fcf6 2026-04-07
FileHash-SHA1 8ec98b77cf9f01bc88b3ae82749256d56a100f64 2026-04-07
FileHash-SHA1 91704137f33d66ae494ae0c2e7d002df6c3c3068 2026-04-07
FileHash-SHA1 a019aaa7b90bca17ef8f9910db3ad7c0a3c2afe4 2026-04-07
FileHash-SHA1 ad833604d230b241e180950980ea462b3812f82a 2026-04-07
FileHash-SHA1 af99d1da4e1e272f54c8bd7f3eedaaa7bbfd9628 2026-04-07
FileHash-SHA1 b0a380e1387dc8e65553350b2851747de7177299 2026-04-07
FileHash-SHA1 b4dba13f8777ed6578df8beb879ed664590958b5 2026-04-07
FileHash-SHA1 b4de571f772316c0fd6a7e74e3577ae6d3eb54db 2026-04-07
FileHash-SHA1 baa569318144905563b469a5a006ad54eb616a02 2026-04-07
FileHash-SHA1 bfb86c579e8a6ffc30b9976eb494fbed63939361 2026-04-07
FileHash-SHA1 bffb14c389ce70d00eff88e6fb151629d589efc6 2026-04-07
FileHash-SHA1 cad73d8b5710c0784d95edd6766b0bfdb0fd7382 2026-04-07
FileHash-SHA1 d1a86ed06b18efef5ce724d2129cf1583b779b44 2026-04-07
FileHash-SHA1 e34f1632b45fcff76e6c8e321e87e9e0d28cab59 2026-04-07
FileHash-SHA1 e9aa4858ed341e964609b060138f3e37d5202345 2026-04-07
FileHash-SHA1 f049bf58b9362fc474c1d543b085f39a4134edab 2026-04-07
FileHash-SHA1 f06da8e29c3f0fafabfc3a524ae8b21730b57ed3 2026-04-07
FileHash-SHA1 f4183780f6684b1eb82e5556654be329da5a6843 2026-04-07
FileHash-SHA1 f5ce76038ffbb80bec76ea0c8aabe944ec92777c 2026-04-07
FileHash-SHA1 f9dd7f8846dc10164b348cfdf878a611c79e4c00 2026-04-07
FileHash-SHA1 ff6486815bdbf1a7b7c8035a6cf8d0157a2a778f 2026-04-07
References (1)
↗ https://www.proofpoint.com/us/blog/threat-insight/id-come-running-back-eu-again-ta416-resumes-european-government-espionage