{ "type": "SHA1", "indicator": "a019aaa7b90bca17ef8f9910db3ad7c0a3c2afe4", "general": { "sections": [ "general", "analysis" ], "type": "sha1", "type_title": "FileHash-SHA1", "indicator": "a019aaa7b90bca17ef8f9910db3ad7c0a3c2afe4", "validation": [], "base_indicator": { "id": 4144448022, "indicator": "a019aaa7b90bca17ef8f9910db3ad7c0a3c2afe4", "type": "FileHash-SHA1", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 12, "pulses": [ { "id": "69d4e667e8ab2d6d4082fc5b", "name": "TA416 resumes European government espionage campaigns", "description": "Since mid-2025, China-aligned threat actor TA416 has resumed targeting European government and diplomatic organizations after a two-year operational shift to Southeast Asia. The campaigns primarily focused on diplomatic missions to the EU and NATO, using web bug reconnaissance and malware delivery through compromised accounts and attacker-controlled infrastructure. In March 2026, TA416 expanded operations to Middle Eastern diplomatic entities following the Iran conflict outbreak. Throughout this period, the actor continuously evolved infection chains, utilizing fake Cloudflare Turnstile pages, OAuth redirect abuse, and C# project files to deliver a customized PlugX backdoor via DLL sideloading. The group employed both broad reconnaissance campaigns and targeted malware delivery, demonstrating sophisticated tradecraft including use of re-registered legitimate domains and cloud infrastructure for command and control operations.", "modified": "2026-04-07T11:15:15.800000", "created": "2026-04-07T11:11:35.434000", "tags": [ "toneshell", "cloudflare turnstile", "korplug", "plugx", "TA416" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/id-come-running-back-eu-again-ta416-resumes-european-government-espionage" ], "public": 1, "adversary": "MUSTANG PANDA", "targeted_countries": [ "Belgium", "Iceland", "Syrian Arab Republic", "Kuwait", "Iran, Islamic Republic of", "Kosovo", "Bangladesh" ], "malware_families": [ { "id": "PlugX - S0013", "display_name": "PlugX - S0013", "target": null }, { "id": "Thoper", "display_name": "Thoper", "target": null }, { "id": "TVT", "display_name": "TVT", "target": null }, { "id": "DestroyRAT", "display_name": "DestroyRAT", "target": null }, { "id": "Sogu", "display_name": "Sogu", "target": null }, { "id": "Kaba", "display_name": "Kaba", "target": null }, { "id": "Korplug", "display_name": "Korplug", "target": null }, { "id": "TONESHELL", "display_name": "TONESHELL", "target": null }, { "id": "PUBLOAD", "display_name": "PUBLOAD", "target": null } ], "attack_ids": [], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 44, "FileHash-SHA1": 44, "FileHash-SHA256": 73, "URL": 10, "domain": 78, "hostname": 7 }, "indicator_count": 256, "is_author": false, "is_subscribing": null, "subscriber_count": 376729, "modified_text": "7 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "690474cfdaff6b0b244d228b", "name": "UNC6384 Weaponizes ZDI-CAN-25373 Vulnerability to Deploy PlugX Against Hungarian and Belgian Diplomatic Entities", "description": "Chinese-affiliated threat actor UNC6384 is conducting a cyber espionage campaign targeting European diplomatic entities, particularly in Hungary and Belgium. The group exploits the ZDI-CAN-25373 Windows vulnerability to deliver PlugX malware through spearphishing emails with malicious LNK files. The campaign uses diplomatic conference themes as lures and employs DLL side-loading of legitimate Canon printer utilities. UNC6384 has expanded its operations from Southeast Asia to Europe, demonstrating rapid adoption of new vulnerabilities and refined social engineering techniques. The malware provides persistent remote access for intelligence collection on European foreign policy, defense cooperation, and economic matters. This campaign highlights the evolving capabilities of Chinese cyber espionage efforts and their strategic focus on diplomatic targets.", "modified": "2025-10-31T09:07:56.425000", "created": "2025-10-31T08:35:27.917000", "tags": [ "canonstager", "dll side-loading", "spearphishing", "plugx", "diplomatic targeting", "zdi-can-25373" ], "references": [ "https://arcticwolf.com/resources/blog/unc6384-weaponizes-zdi-can-25373-vulnerability-to-deploy-plugx" ], "public": 1, "adversary": "UNC6384", "targeted_countries": [ "Belgium", "Hungary", "Italy", "Netherlands", "Serbia" ], "malware_families": [ { "id": "PlugX - S0013", "display_name": "PlugX - S0013", "target": null }, { "id": "Thoper", "display_name": "Thoper", "target": null }, { "id": "TVT", "display_name": "TVT", "target": null }, { "id": "DestroyRAT", "display_name": "DestroyRAT", "target": null }, { "id": "Sogu", "display_name": "Sogu", "target": null }, { "id": "Kaba", "display_name": "Kaba", "target": null }, { "id": "Korplug", "display_name": "Korplug", "target": null }, { "id": "CanonStager", "display_name": "CanonStager", "target": null } ], "attack_ids": [ { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 22, "FileHash-SHA1": 21, "FileHash-SHA256": 21, "domain": 5 }, "indicator_count": 69, "is_author": false, "is_subscribing": null, "subscriber_count": 376731, "modified_text": "165 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "69d73f806377e1786da61411", "name": "EbeeApril2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-04-09T05:56:16.764000", "created": "2026-04-09T05:56:16.764000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1" ], "references": [ "Book1.csv" ], "public": 1, "adversary": "The Gentlemen, Augmented Marauder, Yurei Ransomware, Xloader, ClickFix campaign delivering XWorm V5.", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 96, "URL": 77, "FileHash-MD5": 180, "FileHash-SHA1": 136, "FileHash-SHA256": 280, "CVE": 2, "domain": 162, "hostname": 56 }, "indicator_count": 989, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "5 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "69d161211b583b5382704681", "name": "I\u2019d come running back to EU again: TA416 resumes European government espionage campaigns | Proofpoint US", "description": "", "modified": "2026-04-04T19:06:09.696000", "created": "2026-04-04T19:06:09.696000", "tags": [ "domain c", "ta416", "proofpoint", "strong", "sha256", "dec25", "march", "unksteadysplit", "url fake", "oauth", "plugx", "february", "protect", "turn", "alliance", "fortune", "guardian", "april", "reddelta", "ukraine", "sharepoint", "august", "service", "toneshell", "vertigo", "panda", "first" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/id-come-running-back-eu-again-ta416-resumes-european-government-espionage" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "mengkuong", "id": "239193", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_239193/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 44, "FileHash-SHA1": 44, "FileHash-SHA256": 73, "URL": 10, "domain": 78, "hostname": 7 }, "indicator_count": 256, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "10 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "69cf72c21418b38c1323127e", "name": "aFDSAFSGDF", "description": "Hundreds of companies and organisations have been involved in a series of business-related events over the past six months.. and the number of them has more than doubled to 5,000. (1.4 million names).", "modified": "2026-04-03T07:56:50.797000", "created": "2026-04-03T07:56:50.797000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "harshandc123", "id": "378589", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 30, "FileHash-SHA1": 30, "FileHash-SHA256": 30, "URL": 4, "domain": 65, "hostname": 4 }, "indicator_count": 163, "is_author": false, "is_subscribing": null, "subscriber_count": 16, "modified_text": "11 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "69cf2894db2607356b9bd293", "name": "IOC - I\u2019d come running back to EU again: TA416 resumes European government espionage campaigns", "description": "In 2022, Proofpoint reported on high-volume TA416 activity targeting European governments, which increased sharply as Russian troops began amassing on the border of Ukraine. This high operational tempo of TA416 campaigns against European government targets continued until mid-2023, when the group shifted targeting away from Europe. From mid-2023 until mid-2025, Proofpoint observed minimal TA416 targeting within Europe, with the group mostly active across Southeast Asia, Taiwan, and Mongolia during this period.", "modified": "2026-04-03T02:40:20.859000", "created": "2026-04-03T02:40:20.859000", "tags": [ "domain c", "sha256", "dec25", "url fake", "feb26", "domain delivery", "url microsoft", "entra id", "oauth", "guid microsoft" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/id-come-running-back-eu-again-ta416-resumes-european-government-espionage" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 17, "FileHash-SHA1": 17, "FileHash-SHA256": 67, "URL": 6, "domain": 78, "hostname": 7 }, "indicator_count": 192, "is_author": false, "is_subscribing": null, "subscriber_count": 120, "modified_text": "12 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "69ce8f1977e05c6e9113c123", "name": "TA416 resumes European government espionage campaigns", "description": "The threat actor known as TA416, which is aligned with Chinese interests, resumed targeting European government and diplomatic organizations from mid-2025 after a notable hiatus from such activities. The group carried out extensive web bug and malware delivery campaigns specifically aimed at EU and NATO diplomatic missions across various European nations. In March 2026, TA416 expanded its targeting to include diplomatic and government entities in the Middle East, coinciding with heightened geopolitical tensions due to escalating conflict in Iran.", "modified": "2026-04-02T15:45:29.707000", "created": "2026-04-02T15:45:29.707000", "tags": [ "domain c", "ta416", "proofpoint", "strong", "sha256", "dec25", "march", "unksteadysplit", "url fake", "oauth", "plugx", "february", "protect", "turn", "alliance", "fortune", "guardian", "april", "reddelta", "ukraine", "sharepoint", "august", "service", "toneshell", "vertigo", "panda", "first", "newer plugx", "pubload" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/id-come-running-back-eu-again-ta416-resumes-european-government-espionage" ], "public": 1, "adversary": "TA416", "targeted_countries": [ "Iran, Islamic Republic of", "Taiwan", "Mongolia", "Greenland", "Ukraine", "Myanmar", "Thailand" ], "malware_families": [ { "id": "TA416", "display_name": "TA416", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.003", "name": "Rename System Utilities", "display_name": "T1036.003 - Rename System Utilities" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1127.001", "name": "MSBuild", "display_name": "T1127.001 - MSBuild" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "Diplomatic", "Government", "Foreign Affairs", "Energy", "Defense", "Hospitality", "Technology", "Diplomacy" ], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 21, "FileHash-SHA1": 21, "FileHash-SHA256": 73, "URL": 10, "domain": 78, "hostname": 7 }, "indicator_count": 210, "is_author": false, "is_subscribing": null, "subscriber_count": 170, "modified_text": "12 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "690b3e15fa1f58b81bdfb81d", "name": "EbeeNov2025 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-12-05T12:04:04.227000", "created": "2025-11-05T12:07:49.857000", "tags": [], "references": [ "Nov.Week1.pdf" ], "public": 1, "adversary": "Cl0p ransomware, \u2022 Silent Lynx, \u2022Tor-Backed \u2022PDFClick \u2022DesertDexter", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 49, "FileHash-MD5": 152, "FileHash-SHA1": 99, "FileHash-SHA256": 186, "domain": 28, "email": 9, "hostname": 21 }, "indicator_count": 544, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "130 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "69099ab3d81cc8c3182de815", "name": "UNC6384 Weaponizes ZDI-CAN-25373 Vulnerability to Deploy PlugX Against Hungarian and Belgian Diplomatic Entities", "description": "", "modified": "2025-11-04T06:18:27.862000", "created": "2025-11-04T06:18:27.862000", "tags": [ "arctic wolfitw", "port", "https", "plugx payload", "plan obuka", "oktobar", "legitimate", "malicious", "encrypted", "plugx malware" ], "references": [ "https://arcticwolf.com/resources/blog/unc6384-weaponizes-zdi-can-25373-vulnerability-to-deploy-plugx/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "69045f2bc0ec0fced89fecfa", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 18, "FileHash-SHA1": 14, "FileHash-SHA256": 20, "domain": 4 }, "indicator_count": 56, "is_author": false, "is_subscribing": null, "subscriber_count": 261, "modified_text": "161 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "69091478f4553a8328320a7a", "name": "TI Advisory No-ESAF-SOC-TI-430", "description": "", "modified": "2025-11-03T20:45:44.041000", "created": "2025-11-03T20:45:44.041000", "tags": [], "references": [ "Cyber Threat Advisory - Chinese Threat Actor UNC6384 Exploits Windows LNK Vulnerability in European Diplomatic Espionage.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SOC__critical43", "id": "361186", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 17, "FileHash-SHA1": 16, "FileHash-SHA256": 16, "domain": 5, "hostname": 1 }, "indicator_count": 55, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "162 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "690858db4e3473b344b30224", "name": "UNC6384 Weaponizes ZDI-CAN-25373 Vulnerability to Deploy PlugX Against Hungarian and Belgian Diplomatic Entities", "description": "The cyber espionage campaign attributed to the Chinese-affiliated group UNC6384 has been reported to target diplomatic entities in Hungary, Belgium, and other European nations, particularly between September and October 2025. This campaign is notable for leveraging the recently disclosed ZDI-CAN-25373 vulnerability, a Windows shortcut exploit made public in March 2025. Within just six months, UNC6384 integrated this vulnerability into its attack techniques, demonstrating a rapid adaptation to emerging threat vectors.\n\nThe attack methodology begins with the delivery of malicious LNK files through spearphishing efforts, which exploit the ZDI-CAN-25373 vulnerability to execute commands. Following the initial access, the methodology advances to utilizing DLL side-loading techniques through legitimate signed applications, specifically Canon printer utilities. This approach involves extracting a malicious DLL from a TAR file that is subsequently decrypted in memory to deploy the PlugX malware.", "modified": "2025-11-03T07:25:15.157000", "created": "2025-11-03T07:25:15.157000", "tags": [ "unc6384", "arctic wolf", "arctic wolfitw", "september", "october", "labs", "defense evasion", "plugx", "plugx malware", "https", "powershell", "hungarian", "wolf", "green", "april", "download", "execution", "korplug", "sogu", "friday", "click", "encrypt", "ukraine", "phishing", "malware", "encrypted", "remote access", "threat intelligence", "upload" ], "references": [ "https://arcticwolf.com/resources/blog/unc6384-weaponizes-zdi-can-25373-vulnerability-to-deploy-plugx/" ], "public": 1, "adversary": "UNC6384", "targeted_countries": [ "United States of America", "Italy", "Netherlands", "Russian Federation", "Ukraine" ], "malware_families": [ { "id": "PlugX", "display_name": "PlugX", "target": null } ], "attack_ids": [ { "id": "T1001", "name": "Data Obfuscation", "display_name": "T1001 - Data Obfuscation" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1059", "name": "Command and Scripting Interpreter", "display_name": "T1059 - Command and Scripting Interpreter" }, { "id": "T1071", "name": "Application Layer Protocol", "display_name": "T1071 - Application Layer Protocol" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1204", "name": "User Execution", "display_name": "T1204 - User Execution" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1547", "name": "Boot or Logon Autostart Execution", "display_name": "T1547 - Boot or Logon Autostart Execution" }, { "id": "T1553", "name": "Subvert Trust Controls", "display_name": "T1553 - Subvert Trust Controls" }, { "id": "T1562", "name": "Impair Defenses", "display_name": "T1562 - Impair Defenses" }, { "id": "T1566", "name": "Phishing", "display_name": "T1566 - Phishing" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1574", "name": "Hijack Execution Flow", "display_name": "T1574 - Hijack Execution Flow" }, { "id": "T1587", "name": "Develop Capabilities", "display_name": "T1587 - Develop Capabilities" }, { "id": "T1608", "name": "Stage Capabilities", "display_name": "T1608 - Stage Capabilities" }, { "id": "T1056", "name": "Input Capture", "display_name": "T1056 - Input Capture" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1195", "name": "Supply Chain Compromise", "display_name": "T1195 - Supply Chain Compromise" }, { "id": "T1068", "name": "Exploitation for Privilege Escalation", "display_name": "T1068 - Exploitation for Privilege Escalation" }, { "id": "T1049", "name": "System Network Connections Discovery", "display_name": "T1049 - System Network Connections Discovery" } ], "industries": [ "Diplomatic", "Government", "Tactical", "Defense", "Aviation", "Political" ], "TLP": "green", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 1, "FileHash-MD5": 23, "FileHash-SHA1": 19, "FileHash-SHA256": 21, "YARA": 3, "domain": 5, "hostname": 5 }, "indicator_count": 77, "is_author": false, "is_subscribing": null, "subscriber_count": 171, "modified_text": "162 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "69045f2bc0ec0fced89fecfa", "name": "IOC - UNC6384 Weaponizes ZDI-CAN-25373 Vulnerability to Deploy PlugX Against Hungarian and Belgian Diplomatic Entities", "description": "Arctic Wolf Labs has identified an active cyber espionage campaign by Chinese-affiliated threat actor UNC6384 targeting European diplomatic entities in Hungary, Belgium, and additional European nations during September and October 2025. The campaign represents a tactical evolution incorporating the exploitation of ZDI-CAN-25373, a Windows shortcut vulnerability disclosed in March 2025, alongside refined social engineering leveraging authentic diplomatic conference themes.", "modified": "2025-10-31T07:03:07.205000", "created": "2025-10-31T07:03:07.205000", "tags": [ "arctic wolfitw", "port", "https", "plugx payload", "plan obuka", "oktobar", "legitimate", "malicious", "encrypted", "plugx malware" ], "references": [ "https://arcticwolf.com/resources/blog/unc6384-weaponizes-zdi-can-25373-vulnerability-to-deploy-plugx/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 7, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 18, "FileHash-SHA1": 14, "FileHash-SHA256": 20, "domain": 4 }, "indicator_count": 56, "is_author": false, "is_subscribing": null, "subscriber_count": 117, "modified_text": "165 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 } ], "references": [ "Nov.Week1.pdf", "https://arcticwolf.com/resources/blog/unc6384-weaponizes-zdi-can-25373-vulnerability-to-deploy-plugx/", "Cyber Threat Advisory - Chinese Threat Actor UNC6384 Exploits Windows LNK Vulnerability in European Diplomatic Espionage.pdf", "Book1.csv", "https://www.proofpoint.com/us/blog/threat-insight/id-come-running-back-eu-again-ta416-resumes-european-government-espionage", "https://arcticwolf.com/resources/blog/unc6384-weaponizes-zdi-can-25373-vulnerability-to-deploy-plugx" ], "related": { "alienvault": { "adversary": [ "UNC6384", "MUSTANG PANDA" ], "malware_families": [ "Korplug", "Pubload", "Plugx - s0013", "Destroyrat", "Tvt", "Kaba", "Canonstager", "Toneshell", "Sogu", "Thoper" ], "industries": [ "Government" ] }, "other": { "adversary": [ "The Gentlemen, Augmented Marauder, Yurei Ransomware, Xloader, ClickFix campaign delivering XWorm V5.", "Cl0p ransomware, \u2022 Silent Lynx, \u2022Tor-Backed \u2022PDFClick \u2022DesertDexter", "UNC6384", "TA416" ], "malware_families": [ "Plugx", "Ta416" ], "industries": [ "Political", "Technology", "Energy", "Diplomatic", "Government", "Hospitality", "Aviation", "Defense", "Tactical", "Diplomacy", "Foreign affairs" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 12, "pulses": [ { "id": "69d4e667e8ab2d6d4082fc5b", "name": "TA416 resumes European government espionage campaigns", "description": "Since mid-2025, China-aligned threat actor TA416 has resumed targeting European government and diplomatic organizations after a two-year operational shift to Southeast Asia. The campaigns primarily focused on diplomatic missions to the EU and NATO, using web bug reconnaissance and malware delivery through compromised accounts and attacker-controlled infrastructure. In March 2026, TA416 expanded operations to Middle Eastern diplomatic entities following the Iran conflict outbreak. Throughout this period, the actor continuously evolved infection chains, utilizing fake Cloudflare Turnstile pages, OAuth redirect abuse, and C# project files to deliver a customized PlugX backdoor via DLL sideloading. The group employed both broad reconnaissance campaigns and targeted malware delivery, demonstrating sophisticated tradecraft including use of re-registered legitimate domains and cloud infrastructure for command and control operations.", "modified": "2026-04-07T11:15:15.800000", "created": "2026-04-07T11:11:35.434000", "tags": [ "toneshell", "cloudflare turnstile", "korplug", "plugx", "TA416" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/id-come-running-back-eu-again-ta416-resumes-european-government-espionage" ], "public": 1, "adversary": "MUSTANG PANDA", "targeted_countries": [ "Belgium", "Iceland", "Syrian Arab Republic", "Kuwait", "Iran, Islamic Republic of", "Kosovo", "Bangladesh" ], "malware_families": [ { "id": "PlugX - S0013", "display_name": "PlugX - S0013", "target": null }, { "id": "Thoper", "display_name": "Thoper", "target": null }, { "id": "TVT", "display_name": "TVT", "target": null }, { "id": "DestroyRAT", "display_name": "DestroyRAT", "target": null }, { "id": "Sogu", "display_name": "Sogu", "target": null }, { "id": "Kaba", "display_name": "Kaba", "target": null }, { "id": "Korplug", "display_name": "Korplug", "target": null }, { "id": "TONESHELL", "display_name": "TONESHELL", "target": null }, { "id": "PUBLOAD", "display_name": "PUBLOAD", "target": null } ], "attack_ids": [], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 44, "FileHash-SHA1": 44, "FileHash-SHA256": 73, "URL": 10, "domain": 78, "hostname": 7 }, "indicator_count": 256, "is_author": false, "is_subscribing": null, "subscriber_count": 376729, "modified_text": "7 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "690474cfdaff6b0b244d228b", "name": "UNC6384 Weaponizes ZDI-CAN-25373 Vulnerability to Deploy PlugX Against Hungarian and Belgian Diplomatic Entities", "description": "Chinese-affiliated threat actor UNC6384 is conducting a cyber espionage campaign targeting European diplomatic entities, particularly in Hungary and Belgium. The group exploits the ZDI-CAN-25373 Windows vulnerability to deliver PlugX malware through spearphishing emails with malicious LNK files. The campaign uses diplomatic conference themes as lures and employs DLL side-loading of legitimate Canon printer utilities. UNC6384 has expanded its operations from Southeast Asia to Europe, demonstrating rapid adoption of new vulnerabilities and refined social engineering techniques. The malware provides persistent remote access for intelligence collection on European foreign policy, defense cooperation, and economic matters. This campaign highlights the evolving capabilities of Chinese cyber espionage efforts and their strategic focus on diplomatic targets.", "modified": "2025-10-31T09:07:56.425000", "created": "2025-10-31T08:35:27.917000", "tags": [ "canonstager", "dll side-loading", "spearphishing", "plugx", "diplomatic targeting", "zdi-can-25373" ], "references": [ "https://arcticwolf.com/resources/blog/unc6384-weaponizes-zdi-can-25373-vulnerability-to-deploy-plugx" ], "public": 1, "adversary": "UNC6384", "targeted_countries": [ "Belgium", "Hungary", "Italy", "Netherlands", "Serbia" ], "malware_families": [ { "id": "PlugX - S0013", "display_name": "PlugX - S0013", "target": null }, { "id": "Thoper", "display_name": "Thoper", "target": null }, { "id": "TVT", "display_name": "TVT", "target": null }, { "id": "DestroyRAT", "display_name": "DestroyRAT", "target": null }, { "id": "Sogu", "display_name": "Sogu", "target": null }, { "id": "Kaba", "display_name": "Kaba", "target": null }, { "id": "Korplug", "display_name": "Korplug", "target": null }, { "id": "CanonStager", "display_name": "CanonStager", "target": null } ], "attack_ids": [ { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1129", "name": "Shared Modules", "display_name": "T1129 - Shared Modules" }, { "id": "T1036.005", "name": "Match Legitimate Name or Location", "display_name": "T1036.005 - Match Legitimate Name or Location" }, { "id": "T1587.001", "name": "Malware", "display_name": "T1587.001 - Malware" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1573.001", "name": "Symmetric Cryptography", "display_name": "T1573.001 - Symmetric Cryptography" }, { "id": "T1497.001", "name": "System Checks", "display_name": "T1497.001 - System Checks" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1553.002", "name": "Code Signing", "display_name": "T1553.002 - Code Signing" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1608.001", "name": "Upload Malware", "display_name": "T1608.001 - Upload Malware" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1218", "name": "Signed Binary Proxy Execution", "display_name": "T1218 - Signed Binary Proxy Execution" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1057", "name": "Process Discovery", "display_name": "T1057 - Process Discovery" }, { "id": "T1041", "name": "Exfiltration Over C2 Channel", "display_name": "T1041 - Exfiltration Over C2 Channel" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1562.001", "name": "Disable or Modify Tools", "display_name": "T1562.001 - Disable or Modify Tools" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1001.003", "name": "Protocol Impersonation", "display_name": "T1001.003 - Protocol Impersonation" }, { "id": "T1012", "name": "Query Registry", "display_name": "T1012 - Query Registry" }, { "id": "T1189", "name": "Drive-by Compromise", "display_name": "T1189 - Drive-by Compromise" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1574.002", "name": "DLL Side-Loading", "display_name": "T1574.002 - DLL Side-Loading" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" } ], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 36, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 22, "FileHash-SHA1": 21, "FileHash-SHA256": 21, "domain": 5 }, "indicator_count": 69, "is_author": false, "is_subscribing": null, "subscriber_count": 376731, "modified_text": "165 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "69d73f806377e1786da61411", "name": "EbeeApril2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-04-09T05:56:16.764000", "created": "2026-04-09T05:56:16.764000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1" ], "references": [ "Book1.csv" ], "public": 1, "adversary": "The Gentlemen, Augmented Marauder, Yurei Ransomware, Xloader, ClickFix campaign delivering XWorm V5.", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 96, "URL": 77, "FileHash-MD5": 180, "FileHash-SHA1": 136, "FileHash-SHA256": 280, "CVE": 2, "domain": 162, "hostname": 56 }, "indicator_count": 989, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "5 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "69d161211b583b5382704681", "name": "I\u2019d come running back to EU again: TA416 resumes European government espionage campaigns | Proofpoint US", "description": "", "modified": "2026-04-04T19:06:09.696000", "created": "2026-04-04T19:06:09.696000", "tags": [ "domain c", "ta416", "proofpoint", "strong", "sha256", "dec25", "march", "unksteadysplit", "url fake", "oauth", "plugx", "february", "protect", "turn", "alliance", "fortune", "guardian", "april", "reddelta", "ukraine", "sharepoint", "august", "service", "toneshell", "vertigo", "panda", "first" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/id-come-running-back-eu-again-ta416-resumes-european-government-espionage" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "mengkuong", "id": "239193", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_239193/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 44, "FileHash-SHA1": 44, "FileHash-SHA256": 73, "URL": 10, "domain": 78, "hostname": 7 }, "indicator_count": 256, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "10 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "69cf72c21418b38c1323127e", "name": "aFDSAFSGDF", "description": "Hundreds of companies and organisations have been involved in a series of business-related events over the past six months.. and the number of them has more than doubled to 5,000. (1.4 million names).", "modified": "2026-04-03T07:56:50.797000", "created": "2026-04-03T07:56:50.797000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "harshandc123", "id": "378589", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 30, "FileHash-SHA1": 30, "FileHash-SHA256": 30, "URL": 4, "domain": 65, "hostname": 4 }, "indicator_count": 163, "is_author": false, "is_subscribing": null, "subscriber_count": 16, "modified_text": "11 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "69cf2894db2607356b9bd293", "name": "IOC - I\u2019d come running back to EU again: TA416 resumes European government espionage campaigns", "description": "In 2022, Proofpoint reported on high-volume TA416 activity targeting European governments, which increased sharply as Russian troops began amassing on the border of Ukraine. This high operational tempo of TA416 campaigns against European government targets continued until mid-2023, when the group shifted targeting away from Europe. From mid-2023 until mid-2025, Proofpoint observed minimal TA416 targeting within Europe, with the group mostly active across Southeast Asia, Taiwan, and Mongolia during this period.", "modified": "2026-04-03T02:40:20.859000", "created": "2026-04-03T02:40:20.859000", "tags": [ "domain c", "sha256", "dec25", "url fake", "feb26", "domain delivery", "url microsoft", "entra id", "oauth", "guid microsoft" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/id-come-running-back-eu-again-ta416-resumes-european-government-espionage" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 17, "FileHash-SHA1": 17, "FileHash-SHA256": 67, "URL": 6, "domain": 78, "hostname": 7 }, "indicator_count": 192, "is_author": false, "is_subscribing": null, "subscriber_count": 120, "modified_text": "12 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "69ce8f1977e05c6e9113c123", "name": "TA416 resumes European government espionage campaigns", "description": "The threat actor known as TA416, which is aligned with Chinese interests, resumed targeting European government and diplomatic organizations from mid-2025 after a notable hiatus from such activities. The group carried out extensive web bug and malware delivery campaigns specifically aimed at EU and NATO diplomatic missions across various European nations. In March 2026, TA416 expanded its targeting to include diplomatic and government entities in the Middle East, coinciding with heightened geopolitical tensions due to escalating conflict in Iran.", "modified": "2026-04-02T15:45:29.707000", "created": "2026-04-02T15:45:29.707000", "tags": [ "domain c", "ta416", "proofpoint", "strong", "sha256", "dec25", "march", "unksteadysplit", "url fake", "oauth", "plugx", "february", "protect", "turn", "alliance", "fortune", "guardian", "april", "reddelta", "ukraine", "sharepoint", "august", "service", "toneshell", "vertigo", "panda", "first", "newer plugx", "pubload" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/id-come-running-back-eu-again-ta416-resumes-european-government-espionage" ], "public": 1, "adversary": "TA416", "targeted_countries": [ "Iran, Islamic Republic of", "Taiwan", "Mongolia", "Greenland", "Ukraine", "Myanmar", "Thailand" ], "malware_families": [ { "id": "TA416", "display_name": "TA416", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.003", "name": "Rename System Utilities", "display_name": "T1036.003 - Rename System Utilities" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1127.001", "name": "MSBuild", "display_name": "T1127.001 - MSBuild" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "Diplomatic", "Government", "Foreign Affairs", "Energy", "Defense", "Hospitality", "Technology", "Diplomacy" ], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 21, "FileHash-SHA1": 21, "FileHash-SHA256": 73, "URL": 10, "domain": 78, "hostname": 7 }, "indicator_count": 210, "is_author": false, "is_subscribing": null, "subscriber_count": 170, "modified_text": "12 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "690b3e15fa1f58b81bdfb81d", "name": "EbeeNov2025 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2025-12-05T12:04:04.227000", "created": "2025-11-05T12:07:49.857000", "tags": [], "references": [ "Nov.Week1.pdf" ], "public": 1, "adversary": "Cl0p ransomware, \u2022 Silent Lynx, \u2022Tor-Backed \u2022PDFClick \u2022DesertDexter", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 8, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 49, "FileHash-MD5": 152, "FileHash-SHA1": 99, "FileHash-SHA256": 186, "domain": 28, "email": 9, "hostname": 21 }, "indicator_count": 544, "is_author": false, "is_subscribing": null, "subscriber_count": 39, "modified_text": "130 days ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "69099ab3d81cc8c3182de815", "name": "UNC6384 Weaponizes ZDI-CAN-25373 Vulnerability to Deploy PlugX Against Hungarian and Belgian Diplomatic Entities", "description": "", "modified": "2025-11-04T06:18:27.862000", "created": "2025-11-04T06:18:27.862000", "tags": [ "arctic wolfitw", "port", "https", "plugx payload", "plan obuka", "oktobar", "legitimate", "malicious", "encrypted", "plugx malware" ], "references": [ "https://arcticwolf.com/resources/blog/unc6384-weaponizes-zdi-can-25373-vulnerability-to-deploy-plugx/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": "69045f2bc0ec0fced89fecfa", "export_count": 3, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 18, "FileHash-SHA1": 14, "FileHash-SHA256": 20, "domain": 4 }, "indicator_count": 56, "is_author": false, "is_subscribing": null, "subscriber_count": 261, "modified_text": "161 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 }, { "id": "69091478f4553a8328320a7a", "name": "TI Advisory No-ESAF-SOC-TI-430", "description": "", "modified": "2025-11-03T20:45:44.041000", "created": "2025-11-03T20:45:44.041000", "tags": [], "references": [ "Cyber Threat Advisory - Chinese Threat Actor UNC6384 Exploits Windows LNK Vulnerability in European Diplomatic Espionage.pdf" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "SOC__critical43", "id": "361186", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 17, "FileHash-SHA1": 16, "FileHash-SHA256": 16, "domain": 5, "hostname": 1 }, "indicator_count": 55, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "162 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-MD5", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "a019aaa7b90bca17ef8f9910db3ad7c0a3c2afe4", "type": "Hash" }, "abuseipdb": null, "urlhaus": null, "from_cache": true, "_cached_at": 1776586556.2424726 }