← Back to Pulse Feed
PULSE DETAIL
Since mid-2025, China-aligned threat actor TA416 has resumed targeting European government and diplomatic organizations after a two-year operational shift to Southeast Asia. The campaigns primarily focused on diplomatic missions to the EU and NATO, using web bug reconnaissance and malware delivery through compromised accounts and attacker-controlled infrastructure. In March 2026, TA416 expanded operations to Middle Eastern diplomatic entities following the Iran conflict outbreak. Throughout this period, the actor continuously evolved infection chains, utilizing fake Cloudflare Turnstile pages, OAuth redirect abuse, and C# project files to deliver a customized PlugX backdoor via DLL sideloading. The group employed both broad reconnaissance campaigns and targeted malware delivery, demonstrating sophisticated tradecraft including use of re-registered legitimate domains and cloud infrastructure for command and control operations.
MITRE ATT&CK & Malware Families
MALWARE FAMILIES
PlugX - S0013
Thoper
TVT
DestroyRAT
Sogu
Kaba
Korplug
TONESHELL
PUBLOAD
Indicators of Compromise (78 / 256 total)
| TYPE | INDICATOR | DESCRIPTION | CREATED | |
|---|---|---|---|---|
| domain | aaitile.com | — | 2026-04-07 | |
| domain | adimagemarketing.com | — | 2026-04-07 | |
| domain | alpinemfg.net | — | 2026-04-07 | |
| domain | amblecote.net | — | 2026-04-07 | |
| domain | anbusivam.com | — | 2026-04-07 | |
| domain | atravelingwitch.com | — | 2026-04-07 | |
| domain | basecampbox.com | — | 2026-04-07 | |
| domain | bobbush.org | — | 2026-04-07 | |
| domain | buddhismnewsdaily.org | — | 2026-04-07 | |
| domain | buscacnpj.org | — | 2026-04-07 | |
| domain | bushidomma.net | — | 2026-04-07 | |
| domain | busopps.org | — | 2026-04-07 | |
| domain | buywownow.com | — | 2026-04-07 | |
| domain | buzzurro.net | — | 2026-04-07 | |
| domain | carhirechicago.com | — | 2026-04-07 | |
| domain | cnrelojes.com | — | 2026-04-07 | |
| domain | coastallasercompany.com | — | 2026-04-07 | |
| domain | colorflee.org | — | 2026-04-07 | |
| domain | creatday.com | — | 2026-04-07 | |
| domain | cseconline.org | — | 2026-04-07 | |
| domain | cubukluescort.com | — | 2026-04-07 | |
| domain | dalerocks.com | — | 2026-04-07 | |
| domain | decoraat.net | — | 2026-04-07 | |
| domain | designehair.com | — | 2026-04-07 | |
| domain | devlyrics.com | — | 2026-04-07 | |
| domain | devredin.com | — | 2026-04-07 | |
| domain | dnzapping.com | — | 2026-04-07 | |
| domain | doorforum.com | — | 2026-04-07 | |
| domain | ecoafrique.net | — | 2026-04-07 | |
| domain | ecolnomy.com | — | 2026-04-07 | |
| domain | ecomputers.org | — | 2026-04-07 | |
| domain | embwishes.com | — | 2026-04-07 | |
| domain | espacebus.com | — | 2026-04-07 | |
| domain | famisu.com | — | 2026-04-07 | |
| domain | florarevival.com | — | 2026-04-07 | |
| domain | foxmediagency.com | — | 2026-04-07 | |
| domain | fruitbrat.com | — | 2026-04-07 | |
| domain | fuyuju.com | — | 2026-04-07 | |
| domain | gesecole.net | — | 2026-04-07 | |
| domain | gestationsdiabetes.com | — | 2026-04-07 | |
| domain | ghonline.net | — | 2026-04-07 | |
| domain | goodmedsx.com | — | 2026-04-07 | |
| domain | gynecocuk.net | — | 2026-04-07 | |
| domain | harrietmwelch.com | — | 2026-04-07 | |
| domain | hayabusamt.com | — | 2026-04-07 | |
| domain | hnk-capljina.com | — | 2026-04-07 | |
| domain | hoplitellc.com | — | 2026-04-07 | |
| domain | it-evenement.nl | — | 2026-04-07 | |
| domain | loumuenz.com | — | 2026-04-07 | |
| domain | majicbus.org | — | 2026-04-07 | |
| domain | meritsoftwebportals.com | — | 2026-04-07 | |
| domain | mettayoga.org | — | 2026-04-07 | |
| domain | mongolianews.info | — | 2026-04-07 | |
| domain | napasbdc.org | — | 2026-04-07 | |
| domain | nvofficespace.com | — | 2026-04-07 | |
| domain | ombut.com | — | 2026-04-07 | |
| domain | papermoonweddings.com | — | 2026-04-07 | |
| domain | paquimetro.net | — | 2026-04-07 | |
| domain | phbusiness.net | — | 2026-04-07 | |
| domain | phpthemes.net | — | 2026-04-07 | |
| domain | portabalbufe.com | — | 2026-04-07 | |
| domain | premegalithic.com | — | 2026-04-07 | |
| domain | racineupci.org | — | 2026-04-07 | |
| domain | rhonline.net | — | 2026-04-07 | |
| domain | rondabusco.com | — | 2026-04-07 | |
| domain | ronnybush.net | — | 2026-04-07 | |
| domain | shalomrav.org | — | 2026-04-07 | |
| domain | softhunts.com | — | 2026-04-07 | |
| domain | speedifynews.com | — | 2026-04-07 | |
| domain | stuypa.org | — | 2026-04-07 | |
| domain | subusiness.org | — | 2026-04-07 | |
| domain | supplementsoftheyear.com | — | 2026-04-07 | |
| domain | thecamco.net | — | 2026-04-07 | |
| domain | theprmummy.com | — | 2026-04-07 | |
| domain | turileco.net | — | 2026-04-07 | |
| domain | welnetsanda.org | — | 2026-04-07 | |
| domain | winesnmore.net | — | 2026-04-07 | |
| domain | ytsonline.net | — | 2026-04-07 |