The campaign appears to reflect a broader intersection between cyber operations and geopolitical strain. Proofpoint researchers, cited in new industry reporting on 1 April, said the group’s renewed focus fell most heavily on mailboxes and individuals connected to diplomatic missions and delegations to NATO and the EU. They linked the timing to heightened friction between Europe and Beijing over trade, the Russia-Ukraine war and export controls on rare earths, saying the activity began immediately after the 25th EU-China summit. That chronology is significant because it suggests the operation was not random criminal probing but intelligence collection aligned with foreign policy priorities.
TA416 is one of several names used across the cyber-security industry for the same actor. It is also tracked as Mustang Panda, RedDelta and Twill Typhoon, among other aliases. Threat intelligence firms and government-linked researchers have for years associated the cluster with Chinese state interests, based on its targeting patterns, infrastructure and persistence against government, diplomatic and strategic institutions. ThreatConnect described the group in January as a highly active state-sponsored espionage actor focused on foreign policy, trade routes and sensitive diplomatic engagements, while Proofpoint’s earlier work tied it closely to European diplomatic targeting as the war in Ukraine escalated in 2022.
That earlier European phase offers useful context for the latest wave. In March 2022, Proofpoint said TA416 was targeting European diplomatic entities and people involved in refugee and migrant services, using invisible web bugs inside emails to confirm that a target account was active before sending malicious links. The company said the actor had sharply increased activity against European governments as Russian troops massed near Ukraine, refining its reconnaissance to improve the odds that malware would land on systems of intelligence value. Cisco Talos separately reported in May 2022 that Mustang Panda was using Ukraine war-themed lures against European entities, including messages disguised as European Union material.
The new phase has shown both continuity and adaptation. CyberScoop’s account of the Proofpoint findings said TA416 repeatedly changed its initial infection chains while sticking to a familiar objective: loading its customised PlugX backdoor through DLL sideloading. That method, long associated with Chinese espionage actors, uses legitimate signed software to help malicious code run while avoiding detection. Separate research published in January on Mustang Panda’s use of the COOLCLIENT backdoor also described the continued use of signed binaries and DLL sideloading in government-focused operations during 2025, underlining how the actor keeps updating its toolset without abandoning proven tradecraft.
The targets also fit a recognisable pattern. Rather than casting a wide net, the group appears to be prioritising diplomats, policy officials and institutions that sit close to the nerve centres of European security and foreign affairs. One lure cited in the latest reporting referred to Europe sending troops to Greenland, while others involved humanitarian topics, interview requests and collaboration proposals. Such approaches are designed to blend into the daily traffic of ministries, embassies and multilateral bodies where politically sensitive discussions pass by email every day.
The campaign is unfolding as European authorities harden their public stance on hostile cyber activity linked to China. On 16 March, the Council of the European Union imposed sanctions on China-based Integrity Technology Group and Anxun Information Technology, alongside two individuals connected to Anxun, over cyber-attacks affecting member states. Reuters and the Council said the measures were tied to attacks on critical infrastructure and other harmful cyber activity against EU interests. Although those sanctions did not name TA416, they added to an atmosphere of rising confrontation between Brussels and Chinese-linked cyber actors. Beijing rejected the move and called the sanctions unlawful.
Another sign of the wider trend came from Google Threat Intelligence Group, which said in August 2025 that a PRC-linked espionage campaign attributed to UNC6384 targeted diplomats in Southeast Asia and other entities globally by hijacking web traffic during captive portal checks. Arctic Wolf and other researchers have also linked Mustang Panda or UNC6384 to later diplomatic targeting in Europe using PlugX-related techniques. Taken together, the pattern points to a flexible espionage apparatus that can shift theatres quickly while keeping diplomats and government networks firmly in view.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
