China-Linked TA416 Targets European Governments with PlugX and OAuth-Based Phishing

TA416, a China-linked threat actor, has been targeting European governments since mid-2025 using PlugX malware and OAuth-based phishing attacks, enabling cyber espionage against EU and NATO entities.

The attacks, detailed by Proofpoint, involve sophisticated phishing campaigns that abuse OAuth to gain unauthorized access to cloud services, deploying PlugX malware for persistent control and data exfiltration.

TA416's operations focus on intelligence gathering from government and diplomatic targets, leveraging compromised accounts to move laterally within networks and steal sensitive information.

The use of PlugX, a remote access trojan (RAT) with modular capabilities, allows the attackers to execute commands, upload/download files, and maintain stealthy access over extended periods.

OAuth-based phishing techniques involve tricking users into granting permissions to malicious applications, which then access legitimate cloud services like Microsoft 365 or Google Workspace without needing passwords.

This campaign highlights the evolving tactics of state-sponsored groups, blending traditional malware with cloud-centric attacks to bypass multi-factor authentication (MFA) and other security measures.

Proofpoint's report underscores the need for enhanced monitoring of OAuth applications and user consent grants, as well as robust endpoint detection to identify PlugX infections early.

The targeting of European governments aligns with broader geopolitical tensions, with cyber espionage serving as a tool for strategic intelligence collection on foreign policy and security matters.

Security teams are advised to review OAuth app permissions, educate users on phishing risks, and implement threat-hunting for PlugX indicators of compromise (IoCs) to mitigate such advanced persistent threats (APTs).