"This TA416 activity included multiple waves of web bug and malware delivery campaigns against diplomatic missions to the European Union and NATO across a range of European countries."
"Throughout this period, TA416 regularly altered its infection chain, including abusing Cloudflare Turnstile challenge pages, abusing OAuth redirects, and using C# project files, as well as frequently updating its custom PlugX payload."
"TA416 has also been observed orchestrating multiple campaigns aimed at diplomatic and government entities in the Middle East following the outbreak of the U.S.-Israel-Iran conflict in late February 2026."
"While TA416's attacks are characterized by the use of bespoke PlugX variants, the Mustang Panda cluster has repeatedly deployed tools like TONESHELL, PUBLOAD, and COOLCLIENT in recent attacks."
Since mid-2025, TA416 has targeted European government and diplomatic organizations after a two-year lull. This campaign involves multiple waves of web bug and malware delivery, particularly against EU and NATO missions. TA416 has adapted its infection methods, including using Cloudflare Turnstile challenge pages and OAuth redirects. Additionally, the group has launched campaigns in the Middle East to gather intelligence related to the U.S.-Israel-Iran conflict. TA416 shares technical overlaps with Mustang Panda, both utilizing DLL side-loading for malware deployment.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]