Podcast Host/Announcer

You're listening to the Cyberwire Network, powered by N2K.

Dave Bittner

And now a word from our sponsor, the center for Cyber Health and Hazard Strategies, also known as chhs. Looking for a graduate degree that will give you an edge on your professional career? Earn a Master of Science in Law at University of Maryland, Carey School of Law. This part time, two year online graduate degree program is designed for experienced professionals to understand laws and policies that impact your industry. Learn from CHHS faculty who are experts in their field. No GRE required. Learn how you can master the law without a JD at Law, Umarland Eduardo. Hello everyone and welcome to the Cyberwires Research Saturday. I'm Dave Buettner and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in our rapidly evolving cyberspace. Thanks for joining us.

Mark Kelly

Is a China aligned espionage threat actor that proofpoint has been kind of regularly keeping track of for quite a while. The kind of impetus for this research is we did see some pretty interesting activity from the threat actor since around July of last year where we saw a significant shift in their targeting and we've continued to see some interesting evolutions in their tactics over this period as well.

Dave Bittner

That's Mark Kelly, Threat Researcher at proofpoint. The research we're discussing today is titled I'd Come running back to EU again TA416 resumes European government Espionage Campaigns. Well, the research says that this group largely stepped back from Europe for a while, but then as you say, that changed in mid-2025. What, what signaled that they were coming back?

Mark Kelly

That's right. So if we kind of cast our mind back a little bit further, this group used to be very active within Europe, particularly within the kind of 2021-2023 timeframe. And this coincided with the original invasion of Ukraine by Russia. And we assessed at the time that this was kind of an effort to gather intelligence regarding diplomatic networks within Europe in relation to the war. However, as you said, since around mid 2023, for about two years we saw very little of this threat actor within the region. But then in mid-2025 we saw them kind of come back quite consistently through the region. And this kind of coincided with. Well, it kind of first started immediately after these China EU summit in July 2025 where we saw multiple campaigns from this group. And that's kind of continued since then.

Dave Bittner

Well, when you say they've resumed targeting European diplomatic organizations, what does that actually look like in practice? What does it seem as though they're

Mark Kelly

after here, I think this group is kind of what we would call a more traditional espionage threat actor. So they're looking at kind of foreign policy, they're looking at targeting embassies, Ministry of Foreign affairs and so on. So really looking to kind of understand diplomatic networks and what's going on within other countries, particularly when it's of interest to the Chinese government.

Dave Bittner

I see. Well, can you walk us through the campaign kind of step by step? How does someone find themselves in the sights of this group?

Mark Kelly

Yes, so we've kind of seen two primary types of campaigns from the threat actor. The first is a more kind of fact finding or reconnaissance type campaign where we see the group delivering what are known as tracking pixels. And these are essentially tiny, tiny images that are embedded within an email. And then when the target opens them, it will kind of send a signal to the threat actor that, oh, the email has been opened. This user is kind of engaging with the material I'm sending them and that can signal to them that they can essentially use that as a piece of information to target that individual, again with malware. So kind of more stepping up the game a little bit and actually trying to gain access to that individual or that organization. So we saw multiple waves of these tracking pixel emails from this reactor. And then in addition to this, we've also seen quite a lot of malware delivery from the group. So actually trying to gain remote access into these particular individuals and these particular organizations via multiple different kind of methods and different initial infection vectors.

Dave Bittner

One of the things you highlighted was that you saw phishing coming from compromised diplomatic mailboxes. And I suppose that tactic is especially effective against government targets.

Mark Kelly

That's right. And that's kind of something that is pretty consistent with the threat act there. They use government and diplomatic accounts that they have kind of previously compromised to stage and conduct new campaigns. So from a target perspective, you're obviously going to be a lot more trusting of someone you have previously engaged with or someone who is a kind of trusted government account who is sending you an email versus like a random kind of Gmail account that you've never heard of before. So it makes it a lot more kind of authentic and believable from a target's perspective.

Dave Bittner

To what degree does this appear to be highly targeted or is it more broad reconnaissance?

Mark Kelly

It's hardly targeted in the fact that it's specifically going after specific kind of countries. It's specifically going after Ministry of Foreign affairs from an espionage perspective. So from our kind of vantage point, that is a pretty targeted campaign. And a pretty targeted threat actor. And that kind of aligns with what we typically see from espionage groups, who obviously have a kind of predetermined or hierarchical kind of tasking in terms of what they're supposed to be gathering intelligence on. And that is typically reflected in that group's targeting. So they do tend to be kind of fairly selective in who they target.

Dave Bittner

The research highlights that you've seen them shifting towards some Middle Eastern targets after this current outbreak and conflict in Iran. What does this tell us about organizations like this and their ability to pivot and respond to geopolitical events?

Mark Kelly

That's right, yes. So kind of about a week or so following the commencement of the conflict, we did see multiple campaigns from this group from compromised embassies within the Middle east sent to other embassies within that region. And that is not an area we had traditionally or historically seen targeted by the threat actors. So we did assess that that is likely kind of driven by the conflict and by a desire to gather additional intelligence both on the conflict as well as the kind of geopolitical ramifications within that region. And that is something that is kind of historically typical for this threat actor. So I already mentioned them pivoting to Europe following the Russia Ukraine war and then kind of pivoting back to Europe following those kind of mid-2025 talks. So this is definitely a group that seems to be tasked to look at or kind of shift or at least expand their targeting when certain geopolitical events occur that are important to the Chinese government.

Dave Bittner

Hmm. One of the themes in the research is the evolving technical tradecraft here that TA416, they keep changing their infection chain. Can you dig into that for us?

Mark Kelly

That's right, yes. So it's quite interesting because we see some things change quite significantly and quite frequently from this group, and then other things tend to stay static or tend to stay kind of relatively similar over long periods of time. And some of the things that we've seen changing has in particularly been the early parts of the infection chain. So what is within the phishing email and what kind of comes immediately after the phishing email tends to change pretty frequently. And over the last kind of seven or eight months, we've seen three primary initial infection vectors from the group. The first was whether they were using fake captcha pages, so they were pretending to be like a normal cloudflare verify you're a human type website, but actually when you kind of verify yourself, it downloads some malware onto your machine. The second we've actually seen them abusing Microsoft login redirects. And this is a pretty interesting technique where they are able to kind of include a legitimate Microsoft sign in URL within the phishing email. So it looks kind of pretty legitimate to a target. But what is actually going on in the background is that they have registered a third party application so anyone can kind of go ahead and do that. And they have crafted it in such a way that it causes a redirect from via that application to the threat actor's actual own infrastructure where again you kind of end up downloading a malware. And those have been the two kind of primary infection vectors we've seen from the group. And there's been kind of one that we saw where once or twice back in February, but seems to have kind of been phased out again.

Dave Bittner

Despite all these changes, you point out that the campaigns still lead back to PlagueX. Can you first of all describe what that is for folks who may not be familiar and why do we think this is so persistent in their toolkit?

Mark Kelly

That's right, yes. So despite all of these changes, we tend to see these ultimately delivering a custom backdoor known as Plug X. So this is a malware family that's been around for a long, long time now. It's Chinese in origin, it's been used by a lot of different China aligned threat actors over the kind of past decade or so really. But the interesting thing about TA416 is that they have kind of adopted it, but customized it to such an extent that it's kind of pretty much unrecognizable from the standard Plug X of years ago. So they do continually kind of tweak it and adapt it and so on. And in terms of what it allows them to do, it's essentially a remote access Trojan. So they can use it to remotely control the computer, steal information, open a command shell and download files and exfiltrate files and so on. So pretty standard kind of commands within the actual payload.

Dave Bittner

We'll be right back.

Mark Kelly

Study and play come together on a Windows 11 PC. And for a limited time, college students get the best of both worlds. Get the unreal college deal. Everything you need to study and play with select Windows 11 PCs. Eligible students get a year of Microsoft 365 Premium and a year of Xbox game Pass ultimate with a custom color Xbox wireless controller. Learn more@windows.com studentoffer while supplies last ends June 30 terms@akams.collegepc when you need to

Podcast Host/Announcer

build up your team to handle the growing chaos at work Use Indeed Sponsored Jobs. It gives your job post the boost it needs to be seen and helps reach people with the right skills, certifications and more. Spend less time searching and more time actually interviewing candidates who check all your boxes. Listeners of this show will get a $75 sponsored job credit@ Indeed.com podcast. That's Indeed.com podcast. Terms and conditions apply. Need a hiring hero? This is a job for Indeed Sponsored Jobs.

Dave Bittner

Well, this being 2026 and us being where we are these days, you note possible signs of large language model assistance in some of the components here. What in particular stood out?

Mark Kelly

That's right. So this was particularly kind of evident within the third infection vector that I kind of briefly mentioned earlier. That we saw for a short period of time they were using a particular kind of fairly unusual file format called C Project files, and these are basically used by software developers to help them compile code. But TA416 was essentially abusing this to download PlugX. But within those C project files, they appear to be kind of pretty clearly LLM generated. So we saw the inclusion of comments that no normal malware developer would include that was kind of describing what it was doing. And there was also kind of variations between different samples, different scripts that we saw that was saying like one would say, oh, this is the URL with the new endpoint, this is the URL revised again. And that kind of thing so clearly kind of being iteratively changed, likely via kind of a large language model.

Dave Bittner

Yeah, that's interesting. Now, let's talk about this Mustang Panda question. I think there's quite often confusion around the Mustang Panda label when it comes to attribution. Where does TA416 fit within that ecosystem of related groups?

Mark Kelly

That's right, yes. So the joys of aliases within threat intelligence, I'm sure, is not lost on your listeners. And it can be kind of confusing sometimes. But from a vendor perspective and from someone who actually tracks and kind of uses our own telemetry to track these groups, we all have different visibility in terms of what they look like and kind of how we cluster them together. And from our perspective, what is often referred to as Mustang Panda publicly for us is two distinct groups. Well, predominantly two distinct groups. So TA416 is one of those groups. So we mostly see them again targeting European, Southeast Asian diplomats, government using PlugX and so on. And then there is another cluster that we assess is likely distinct just based on using very different techniques, different targeting, different malware. And we do track them separately. I would kind of note that some Other organizations track it as a single group and there is some indication that there may be some sort of organizational link between the two. But from our perspective, from a behavioral standpoint, they kind of look completely different and there's no way for us to reconcile that as being the same threat actor from our vantage point. So that's why we kind of cluster them separately.

Dave Bittner

I see looking at the bigger picture here, some of the implications of an operation like this. TA416's focus on the EU and NATO linked diplomacy, their renewed focus on them. What does this suggest about where Beijing stands right now in terms of their intelligence priorities?

Mark Kelly

Yes, I think it's kind of indicative of a renewed focus on government organizations within Europe. It did seem to kind of coincide with, with this EU China summit that, that happened back in July as I mentioned. And we didn't really see a whole lot of them before that. And then since then we've seen quite a lot of them. So that is seems to be the kind of correlation. But again, it's hard to like pinpoint exactly what has led to this shift back to Europe. The Middle east one was, was kind of a lot more, more obvious and, and straight cut, I think given we'd never seen them there before and then we were suddenly seeing them there right after the conflict began. So I think we can be a lot more confident in terms of our assessment in terms of the rationale for the group shift in targeting then. But Yorov is a little bit more, we kind of had to put our thinking hats on a little bit more for that one, I think.

Dave Bittner

Do you suppose that organizations should interpret this activity as more opportunistic surveillance, or do we suspect this is something more strategic and possibly sustained?

Mark Kelly

I would expect this to be sustained. I mean, this is a threat actor that's been around for a long time now. They do shift targeting as I mentioned, over time, but there has been some consistency. So I haven't really mentioned the group's activity in Asia, but they are basically kind of consistently active within Southeast Asia over probably a decade at this point. So very long periods of time. So it's not a group that's going to go away anytime soon. They do not target people opportunistically, so it is typically kind of purposeful and they are doing it for a reason, likely based on some kind of tasking they are having from whoever they work for within the Chinese government. So there is definitely kind of methodical rationale for why they do what they do.

Dave Bittner

I see. Well, let's talk about some of the practical takeaways here for the defenders in our audience, what are your recommendations? What can they do to protect themselves against a threat like this?

Mark Kelly

Yes. So I think kind of starting from the email level and going on to the kind of more malware components from the email level, it's kind of your standard recommendations around educating users on the risks of executing kind of code and clicking links that are potentially suspicious. Obviously in this case, if they're using kind of compromised senders and linking to Microsoft infrastructure, it's probably unfair to expect a general user to be able to recognize that as phishing against them. But from kind of more technical controls, even though they do change these earlier standpoints, if kind of defenders can focus more on what comes later. So the actual malware has been pretty standard. They tend to use Microsoft shortcut files, which are pretty kind of common at the moment from a lot of different threat actors, but are detectable and are something that you can kind of build detections for. Similarly looking at the actual malware being loaded. So they tend to use specific techniques, particularly things like DLL side loading, which is a way that they can load their malware and then looking at again the kind of network perspective. So once the malware is loaded on the computer, it's going to try and reach out to command and control infrastructure. So proactively trying to track that infrastructure or engaging with organizations that are able to do that and ensuring that if you do see networks or computers within your network trying to contact that command and control infrastructure, that you're alerted and you can kind of remediate it. So lots of different kind of steps there that defenders can take, I think based on the different aspects of the infection chain.

Dave Bittner

All right, well, Mark, I think I have everything I need for our story here. Is there anything I missed? Anything I haven't asked you that you think it's important to share?

Mark Kelly

One of the things that is interesting is their infrastructure choices and the way they expire by expire legitimate domains. So oftentimes they will use a formerly legitimate company that has gone out of business or for some reason let their domain expire. They will then buy that and use that for command and control for their malware families or for hosting tracking pixels within emails. And this is an interesting kind of choice because these tend to have higher reputation than if they were to just purchase a kind of new domain that's never been around before. And it also makes it a little bit harder to kind of detect their activity. They also hide these domains behind the cloudflare content distribution network again to kind of obscure where their servers are. And that is something that's really developed over the last few years, and they've clearly kind of put a little bit of effort into trying to make their infrastructure harder to track. And the other interesting thing there is they usually put fake websites on those C2 domains as well. So if you were to visit them it would just look like a kind of generic website, but in actual fact it's a kind of domain that they own and that they use for C2. So that was one more kind of interesting thing that I've seen from this group.

Dave Bittner

How do you rate their sophistication?

Mark Kelly

I would say they're not necessarily the top end of sophistication, but they are very persistent and creative and they're also willing to kind of consistently change and adapt their approach, even if the kind of core objective in ttps do remain consistent over time. So it's definitely a group to keep an eye on and be wary of, particularly if you're within that kind of target set of theirs. So particularly embassies, diplomatic organizations and so on should definitely be very aware of this group.

Dave Bittner

Our thanks to Mark Kelly from Proofpoint for joining us. The research is titled I'd Come running back to EU again TA416 run resumes European government Espionage Campaigns. We'll have a link in the Show Notes and that is Research Saturday brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the Show Notes or send an email to to cyberwire2k.com this episode was produced by Liz Stokes. We're mixed by Elliot Peltzman and Trey Hester. Our executive producer is Jennifer Ivan. Peter Kilpe is our publisher and I'm Dave Bittner. Thanks for listening. We'll see you back here next time.

Podcast Host/Announcer

Some Follow the Noise Bloomberg Follows the money Whether it's the funds fueling AI or crypto's trillion dollar swings, there's a money side to every story. Get the money side of the story. Subscribe now@bloomberg.com.