{ "type": "Domain", "indicator": "hnk-capljina.com", "general": { "sections": [ "general", "geo", "url_list", "passive_dns", "malware", "whois", "http_scans" ], "whois": "http://whois.domaintools.com/hnk-capljina.com", "alexa": "http://www.alexa.com/siteinfo/hnk-capljina.com", "indicator": "hnk-capljina.com", "type": "domain", "type_title": "Domain", "validation": [], "base_indicator": { "id": 2601553121, "indicator": "hnk-capljina.com", "type": "domain", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 6, "pulses": [ { "id": "69d4e667e8ab2d6d4082fc5b", "name": "TA416 resumes European government espionage campaigns", "description": "Since mid-2025, China-aligned threat actor TA416 has resumed targeting European government and diplomatic organizations after a two-year operational shift to Southeast Asia. The campaigns primarily focused on diplomatic missions to the EU and NATO, using web bug reconnaissance and malware delivery through compromised accounts and attacker-controlled infrastructure. In March 2026, TA416 expanded operations to Middle Eastern diplomatic entities following the Iran conflict outbreak. Throughout this period, the actor continuously evolved infection chains, utilizing fake Cloudflare Turnstile pages, OAuth redirect abuse, and C# project files to deliver a customized PlugX backdoor via DLL sideloading. The group employed both broad reconnaissance campaigns and targeted malware delivery, demonstrating sophisticated tradecraft including use of re-registered legitimate domains and cloud infrastructure for command and control operations.", "modified": "2026-04-07T11:15:15.800000", "created": "2026-04-07T11:11:35.434000", "tags": [ "toneshell", "cloudflare turnstile", "korplug", "plugx", "TA416" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/id-come-running-back-eu-again-ta416-resumes-european-government-espionage" ], "public": 1, "adversary": "MUSTANG PANDA", "targeted_countries": [ "Belgium", "Iceland", "Syrian Arab Republic", "Kuwait", "Iran, Islamic Republic of", "Kosovo", "Bangladesh" ], "malware_families": [ { "id": "PlugX - S0013", "display_name": "PlugX - S0013", "target": null }, { "id": "Thoper", "display_name": "Thoper", "target": null }, { "id": "TVT", "display_name": "TVT", "target": null }, { "id": "DestroyRAT", "display_name": "DestroyRAT", "target": null }, { "id": "Sogu", "display_name": "Sogu", "target": null }, { "id": "Kaba", "display_name": "Kaba", "target": null }, { "id": "Korplug", "display_name": "Korplug", "target": null }, { "id": "TONESHELL", "display_name": "TONESHELL", "target": null }, { "id": "PUBLOAD", "display_name": "PUBLOAD", "target": null } ], "attack_ids": [], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 44, "FileHash-SHA1": 44, "FileHash-SHA256": 73, "URL": 10, "domain": 78, "hostname": 7 }, "indicator_count": 256, "is_author": false, "is_subscribing": null, "subscriber_count": 376729, "modified_text": "7 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d73f806377e1786da61411", "name": "EbeeApril2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-04-09T05:56:16.764000", "created": "2026-04-09T05:56:16.764000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1" ], "references": [ "Book1.csv" ], "public": 1, "adversary": "The Gentlemen, Augmented Marauder, Yurei Ransomware, Xloader, ClickFix campaign delivering XWorm V5.", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 96, "URL": 77, "FileHash-MD5": 180, "FileHash-SHA1": 136, "FileHash-SHA256": 280, "CVE": 2, "domain": 162, "hostname": 56 }, "indicator_count": 989, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "5 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d161211b583b5382704681", "name": "I\u2019d come running back to EU again: TA416 resumes European government espionage campaigns | Proofpoint US", "description": "", "modified": "2026-04-04T19:06:09.696000", "created": "2026-04-04T19:06:09.696000", "tags": [ "domain c", "ta416", "proofpoint", "strong", "sha256", "dec25", "march", "unksteadysplit", "url fake", "oauth", "plugx", "february", "protect", "turn", "alliance", "fortune", "guardian", "april", "reddelta", "ukraine", "sharepoint", "august", "service", "toneshell", "vertigo", "panda", "first" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/id-come-running-back-eu-again-ta416-resumes-european-government-espionage" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "mengkuong", "id": "239193", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_239193/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 44, "FileHash-SHA1": 44, "FileHash-SHA256": 73, "URL": 10, "domain": 78, "hostname": 7 }, "indicator_count": 256, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "10 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cf72c21418b38c1323127e", "name": "aFDSAFSGDF", "description": "Hundreds of companies and organisations have been involved in a series of business-related events over the past six months.. and the number of them has more than doubled to 5,000. (1.4 million names).", "modified": "2026-04-03T07:56:50.797000", "created": "2026-04-03T07:56:50.797000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "harshandc123", "id": "378589", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 30, "FileHash-SHA1": 30, "FileHash-SHA256": 30, "URL": 4, "domain": 65, "hostname": 4 }, "indicator_count": 163, "is_author": false, "is_subscribing": null, "subscriber_count": 16, "modified_text": "11 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cf2894db2607356b9bd293", "name": "IOC - I\u2019d come running back to EU again: TA416 resumes European government espionage campaigns", "description": "In 2022, Proofpoint reported on high-volume TA416 activity targeting European governments, which increased sharply as Russian troops began amassing on the border of Ukraine. This high operational tempo of TA416 campaigns against European government targets continued until mid-2023, when the group shifted targeting away from Europe. From mid-2023 until mid-2025, Proofpoint observed minimal TA416 targeting within Europe, with the group mostly active across Southeast Asia, Taiwan, and Mongolia during this period.", "modified": "2026-04-03T02:40:20.859000", "created": "2026-04-03T02:40:20.859000", "tags": [ "domain c", "sha256", "dec25", "url fake", "feb26", "domain delivery", "url microsoft", "entra id", "oauth", "guid microsoft" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/id-come-running-back-eu-again-ta416-resumes-european-government-espionage" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 17, "FileHash-SHA1": 17, "FileHash-SHA256": 67, "URL": 6, "domain": 78, "hostname": 7 }, "indicator_count": 192, "is_author": false, "is_subscribing": null, "subscriber_count": 120, "modified_text": "12 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ce8f1977e05c6e9113c123", "name": "TA416 resumes European government espionage campaigns", "description": "The threat actor known as TA416, which is aligned with Chinese interests, resumed targeting European government and diplomatic organizations from mid-2025 after a notable hiatus from such activities. The group carried out extensive web bug and malware delivery campaigns specifically aimed at EU and NATO diplomatic missions across various European nations. In March 2026, TA416 expanded its targeting to include diplomatic and government entities in the Middle East, coinciding with heightened geopolitical tensions due to escalating conflict in Iran.", "modified": "2026-04-02T15:45:29.707000", "created": "2026-04-02T15:45:29.707000", "tags": [ "domain c", "ta416", "proofpoint", "strong", "sha256", "dec25", "march", "unksteadysplit", "url fake", "oauth", "plugx", "february", "protect", "turn", "alliance", "fortune", "guardian", "april", "reddelta", "ukraine", "sharepoint", "august", "service", "toneshell", "vertigo", "panda", "first", "newer plugx", "pubload" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/id-come-running-back-eu-again-ta416-resumes-european-government-espionage" ], "public": 1, "adversary": "TA416", "targeted_countries": [ "Iran, Islamic Republic of", "Taiwan", "Mongolia", "Greenland", "Ukraine", "Myanmar", "Thailand" ], "malware_families": [ { "id": "TA416", "display_name": "TA416", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.003", "name": "Rename System Utilities", "display_name": "T1036.003 - Rename System Utilities" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1127.001", "name": "MSBuild", "display_name": "T1127.001 - MSBuild" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "Diplomatic", "Government", "Foreign Affairs", "Energy", "Defense", "Hospitality", "Technology", "Diplomacy" ], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 21, "FileHash-SHA1": 21, "FileHash-SHA256": 73, "URL": 10, "domain": 78, "hostname": 7 }, "indicator_count": 210, "is_author": false, "is_subscribing": null, "subscriber_count": 170, "modified_text": "12 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "references": [ "Book1.csv", "https://www.proofpoint.com/us/blog/threat-insight/id-come-running-back-eu-again-ta416-resumes-european-government-espionage" ], "related": { "alienvault": { "adversary": [ "MUSTANG PANDA" ], "malware_families": [ "Korplug", "Pubload", "Plugx - s0013", "Destroyrat", "Tvt", "Kaba", "Toneshell", "Sogu", "Thoper" ], "industries": [ "Government" ] }, "other": { "adversary": [ "The Gentlemen, Augmented Marauder, Yurei Ransomware, Xloader, ClickFix campaign delivering XWorm V5.", "TA416" ], "malware_families": [ "Ta416" ], "industries": [ "Technology", "Energy", "Diplomatic", "Government", "Hospitality", "Defense", "Diplomacy", "Foreign affairs" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 6, "pulses": [ { "id": "69d4e667e8ab2d6d4082fc5b", "name": "TA416 resumes European government espionage campaigns", "description": "Since mid-2025, China-aligned threat actor TA416 has resumed targeting European government and diplomatic organizations after a two-year operational shift to Southeast Asia. The campaigns primarily focused on diplomatic missions to the EU and NATO, using web bug reconnaissance and malware delivery through compromised accounts and attacker-controlled infrastructure. In March 2026, TA416 expanded operations to Middle Eastern diplomatic entities following the Iran conflict outbreak. Throughout this period, the actor continuously evolved infection chains, utilizing fake Cloudflare Turnstile pages, OAuth redirect abuse, and C# project files to deliver a customized PlugX backdoor via DLL sideloading. The group employed both broad reconnaissance campaigns and targeted malware delivery, demonstrating sophisticated tradecraft including use of re-registered legitimate domains and cloud infrastructure for command and control operations.", "modified": "2026-04-07T11:15:15.800000", "created": "2026-04-07T11:11:35.434000", "tags": [ "toneshell", "cloudflare turnstile", "korplug", "plugx", "TA416" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/id-come-running-back-eu-again-ta416-resumes-european-government-espionage" ], "public": 1, "adversary": "MUSTANG PANDA", "targeted_countries": [ "Belgium", "Iceland", "Syrian Arab Republic", "Kuwait", "Iran, Islamic Republic of", "Kosovo", "Bangladesh" ], "malware_families": [ { "id": "PlugX - S0013", "display_name": "PlugX - S0013", "target": null }, { "id": "Thoper", "display_name": "Thoper", "target": null }, { "id": "TVT", "display_name": "TVT", "target": null }, { "id": "DestroyRAT", "display_name": "DestroyRAT", "target": null }, { "id": "Sogu", "display_name": "Sogu", "target": null }, { "id": "Kaba", "display_name": "Kaba", "target": null }, { "id": "Korplug", "display_name": "Korplug", "target": null }, { "id": "TONESHELL", "display_name": "TONESHELL", "target": null }, { "id": "PUBLOAD", "display_name": "PUBLOAD", "target": null } ], "attack_ids": [], "industries": [ "Government" ], "TLP": "white", "cloned_from": null, "export_count": 19, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 44, "FileHash-SHA1": 44, "FileHash-SHA256": 73, "URL": 10, "domain": 78, "hostname": 7 }, "indicator_count": 256, "is_author": false, "is_subscribing": null, "subscriber_count": 376729, "modified_text": "7 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d73f806377e1786da61411", "name": "EbeeApril2026 Pt1", "description": "Multiple APT/threat actors, Malware and Campaigns", "modified": "2026-04-09T05:56:16.764000", "created": "2026-04-09T05:56:16.764000", "tags": [ "filehashsha256", "filehashmd5", "filehashsha1" ], "references": [ "Book1.csv" ], "public": 1, "adversary": "The Gentlemen, Augmented Marauder, Yurei Ransomware, Xloader, ClickFix campaign delivering XWorm V5.", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "IMEBEEIMFINE", "id": "343873", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 96, "URL": 77, "FileHash-MD5": 180, "FileHash-SHA1": 136, "FileHash-SHA256": 280, "CVE": 2, "domain": 162, "hostname": 56 }, "indicator_count": 989, "is_author": false, "is_subscribing": null, "subscriber_count": 38, "modified_text": "5 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69d161211b583b5382704681", "name": "I\u2019d come running back to EU again: TA416 resumes European government espionage campaigns | Proofpoint US", "description": "", "modified": "2026-04-04T19:06:09.696000", "created": "2026-04-04T19:06:09.696000", "tags": [ "domain c", "ta416", "proofpoint", "strong", "sha256", "dec25", "march", "unksteadysplit", "url fake", "oauth", "plugx", "february", "protect", "turn", "alliance", "fortune", "guardian", "april", "reddelta", "ukraine", "sharepoint", "august", "service", "toneshell", "vertigo", "panda", "first" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/id-come-running-back-eu-again-ta416-resumes-european-government-espionage" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "mengkuong", "id": "239193", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_239193/resized/80/avatar_3b9c358f36.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 44, "FileHash-SHA1": 44, "FileHash-SHA256": 73, "URL": 10, "domain": 78, "hostname": 7 }, "indicator_count": 256, "is_author": false, "is_subscribing": null, "subscriber_count": 49, "modified_text": "10 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cf72c21418b38c1323127e", "name": "aFDSAFSGDF", "description": "Hundreds of companies and organisations have been involved in a series of business-related events over the past six months.. and the number of them has more than doubled to 5,000. (1.4 million names).", "modified": "2026-04-03T07:56:50.797000", "created": "2026-04-03T07:56:50.797000", "tags": [], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "harshandc123", "id": "378589", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 30, "FileHash-SHA1": 30, "FileHash-SHA256": 30, "URL": 4, "domain": 65, "hostname": 4 }, "indicator_count": 163, "is_author": false, "is_subscribing": null, "subscriber_count": 16, "modified_text": "11 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69cf2894db2607356b9bd293", "name": "IOC - I\u2019d come running back to EU again: TA416 resumes European government espionage campaigns", "description": "In 2022, Proofpoint reported on high-volume TA416 activity targeting European governments, which increased sharply as Russian troops began amassing on the border of Ukraine. This high operational tempo of TA416 campaigns against European government targets continued until mid-2023, when the group shifted targeting away from Europe. From mid-2023 until mid-2025, Proofpoint observed minimal TA416 targeting within Europe, with the group mostly active across Southeast Asia, Taiwan, and Mongolia during this period.", "modified": "2026-04-03T02:40:20.859000", "created": "2026-04-03T02:40:20.859000", "tags": [ "domain c", "sha256", "dec25", "url fake", "feb26", "domain delivery", "url microsoft", "entra id", "oauth", "guid microsoft" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/id-come-running-back-eu-again-ta416-resumes-european-government-espionage" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 17, "FileHash-SHA1": 17, "FileHash-SHA256": 67, "URL": 6, "domain": 78, "hostname": 7 }, "indicator_count": 192, "is_author": false, "is_subscribing": null, "subscriber_count": 120, "modified_text": "12 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 }, { "id": "69ce8f1977e05c6e9113c123", "name": "TA416 resumes European government espionage campaigns", "description": "The threat actor known as TA416, which is aligned with Chinese interests, resumed targeting European government and diplomatic organizations from mid-2025 after a notable hiatus from such activities. The group carried out extensive web bug and malware delivery campaigns specifically aimed at EU and NATO diplomatic missions across various European nations. In March 2026, TA416 expanded its targeting to include diplomatic and government entities in the Middle East, coinciding with heightened geopolitical tensions due to escalating conflict in Iran.", "modified": "2026-04-02T15:45:29.707000", "created": "2026-04-02T15:45:29.707000", "tags": [ "domain c", "ta416", "proofpoint", "strong", "sha256", "dec25", "march", "unksteadysplit", "url fake", "oauth", "plugx", "february", "protect", "turn", "alliance", "fortune", "guardian", "april", "reddelta", "ukraine", "sharepoint", "august", "service", "toneshell", "vertigo", "panda", "first", "newer plugx", "pubload" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/id-come-running-back-eu-again-ta416-resumes-european-government-espionage" ], "public": 1, "adversary": "TA416", "targeted_countries": [ "Iran, Islamic Republic of", "Taiwan", "Mongolia", "Greenland", "Ukraine", "Myanmar", "Thailand" ], "malware_families": [ { "id": "TA416", "display_name": "TA416", "target": null } ], "attack_ids": [ { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1036", "name": "Masquerading", "display_name": "T1036 - Masquerading" }, { "id": "T1036.003", "name": "Rename System Utilities", "display_name": "T1036.003 - Rename System Utilities" }, { "id": "T1059.001", "name": "PowerShell", "display_name": "T1059.001 - PowerShell" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1105", "name": "Ingress Tool Transfer", "display_name": "T1105 - Ingress Tool Transfer" }, { "id": "T1127.001", "name": "MSBuild", "display_name": "T1127.001 - MSBuild" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" } ], "industries": [ "Diplomatic", "Government", "Foreign Affairs", "Energy", "Defense", "Hospitality", "Technology", "Diplomacy" ], "TLP": "green", "cloned_from": null, "export_count": 2, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "PetrP.73", "id": "154605", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 21, "FileHash-SHA1": 21, "FileHash-SHA256": 73, "URL": 10, "domain": 78, "hostname": 7 }, "indicator_count": 210, "is_author": false, "is_subscribing": null, "subscriber_count": 170, "modified_text": "12 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "domain", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "hnk-capljina.com", "type": "Domain" }, "abuseipdb": null, "urlhaus": { "indicator": "hnk-capljina.com", "found": false, "verdict": "clean", "urls": [], "error": null }, "from_cache": true, "_cached_at": 1776228398.9226797 }