Podcasts
Research Saturday
Ep 424
Research Saturday 5.9.26
Ep 424 | 5.9.26

The spy who logged me in.

Show Notes
Transcript

Dave Bittner: Hello, everyone, and welcome to the CyberWire's Research Saturday. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down the threats and vulnerabilities, solving some of the hard problems, and protecting ourselves in our rapidly evolving cyberspace. Thanks for joining us. [ Music ]

Mark Kelly: So TA416 is a China-aligned espionage threat actor that Proofpoint has been kind of regularly keeping track of for quite a while. The kind of impetus for this research is we did see some pretty interesting activity from the threat actor since around July of last year, where we saw a significant shift in their targeting, and we've continued to see some interesting evolutions in their tactics over this period as well.

Dave Bittner: That's Mark Kelly, threat researcher at Proofpoint. The research we're discussing today is titled "I'd Come Running Back to EU Again: TA416 Resumes European Government Espionage Campaigns." [ Music ] Well, the research says that this group largely stepped back from Europe for a while, but then, as you say, that changed in mid-2025. What signaled that they were coming back?

Mark Kelly: That's right. So if we kind of cast our mind back a little bit further, this group used to be very active within Europe, particularly within the kind of 2021 to 2023 timeframe. And this coincided with the original invasion of Ukraine by Russia. And we assessed at the time that this was kind of an effort to gather intelligence regarding diplomatic networks within Europe in relation to the war. However, as you said, since around mid-2023, for about two years, we saw very little of this threat actor within the region. But then in mid-2025, we saw them kind of come back quite consistently to the region. And this kind of coincided with -- well, it kind of first started immediately after these China-EU summits in July 2025, where we saw multiple campaigns from this group, and it's kind of continued since then.

Dave Bittner: Well, when you say they've resumed targeting European diplomatic organizations, what does that actually look like in practice? What does it seem as though they're after here?

Mark Kelly: I think this group is kind of what we would call a more traditional espionage threat actor. So they're looking at kind of foreign policy. They're looking at targeting embassies, Ministry of Foreign Affairs, and so on. So really looking to kind of understand diplomatic networks and what's going on within other countries, particularly when it's of interest to the Chinese government.

Dave Bittner: I see. Well, can you walk us through the campaign kind of step-by-step? How does someone find themselves in the sights of this group?

Mark Kelly: Yes, so we've kind of seen two primary types of campaigns from this threat actor. The first is a more kind of fact-finding or reconnaissance-type campaign where we see the group delivering what are known as tracking pixels. And these are essentially tiny, tiny images that are embedded within an email. And then when the target opens them, it will kind of send a signal to the threat actor that, "Oh, the email has been opened. This user is kind of engaging with the material I'm sending them." And that can signal to them that they can essentially use that as a piece of information to target that individual again with malware. So kind of more stepping up the game a little bit and actually trying to gain access to that individual or that organization. And so we saw multiple ways of these tracking pixel emails from this threat actor. And then, in addition to this, we've also seen quite a lot of malware delivery from the group. So, actually trying to gain remote access into these particular individuals and these particular organizations via multiple different kinds of methods and different initial infection vectors.

Dave Bittner: Now, one of the things you highlighted was that you saw phishing coming from compromised diplomatic mailboxes. And I suppose that tactic is especially effective against government targets.

Mark Kelly: That's right. And that's kind of something that is pretty consistent with this threat actor. They use government and diplomatic accounts that they have kind of previously compromised to stage and conduct new campaigns. So from a target perspective, you're obviously going to be a lot more trusting of someone you have previously engaged with or someone who is a kind of trusted government account who is sending you an email, versus, like, a random kind of Gmail account that you've never heard of before. So it makes it a lot more kind of authentic and believable from a target's perspective.

Dave Bittner: To what degree does this appear to be highly targeted, or is it more broad reconnaissance?

Mark Kelly: It's highly targeted in the fact that it's specifically going after specific kind of countries. It's specifically going after Ministry of Foreign Affairs from an espionage perspective. So from our kind of vantage point, that is a pretty targeted campaign and a pretty targeted threat actor. And that kind of aligns with what we typically see from espionage groups, who obviously have a kind of predetermined or hierarchical kind of tasking in terms of what they're supposed to be gathering intelligence on. And that is typically reflected in that group's targeting. So they do tend to be kind of fairly selective in who they target.

Dave Bittner: The research highlights that you've seen them shifting towards some Middle Eastern targets after this current outbreak and conflict in Iran. What does this tell us about organizations like this and their ability to pivot and respond to geopolitical events?

Mark Kelly: That's right. Yes, so kind of -- about a week or so following the commencement of the conflict, we did see multiple campaigns from this group from compromised embassies within the Middle East, sent to other embassies within that region. And that is not an area we had traditionally or historically seen targeted by this threat actor. So we did assess that that is likely kind of driven by the conflict and by a desire to gather additional intelligence, both on the conflict as well as the kind of geopolitical ramifications within that region. And that is something that is kind of historically typical for this threat actor. So I already mentioned them pivoting to Europe following the Russia-Ukraine war and then kind of pivoting back to Europe following those kind of mid-2025 talks. So this is definitely a group that seems to be tasked to look at or kind of shift, or at least expand their targeting when certain geopolitical events occur that are important to the Chinese government.

Dave Bittner: One of the themes in the research is the evolving technical tradecraft here, that TA416, they keep changing their infection chain. Can you dig into that for us?

Mark Kelly: That's right. Yes. So it's quite interesting because we see some things change quite significantly and quite frequently from this group. And then other things tend to stay static or tend to stay kind of relatively similar over long periods of time. And some of the things that we've seen changing has in particularly been the early parts of the infection chain. So what is within the phishing email, and what kind of comes immediately after the phishing email tends to change pretty frequently. And over the last kind of seven or eight months, we've seen three primary initial infection vectors from this group. The first was where they were using fake CAPTCHA pages. So they were pretending to be like a normal Cloudflare verify you're a human type website. But actually, when you kind of verify yourself, it downloads some malware onto your machine. The second, we've actually seen them abusing Microsoft login redirects. And this is a pretty interesting technique where they are able to kind of include a legitimate Microsoft sign-in URL within the phishing email. So it looks kind of pretty legitimate to a target. But what is actually going on in the background is that they have registered a third-party application. So anyone can kind of go ahead and do that. And they have crafted it in such a way that it causes a redirect via that application to the threat actor's actual own infrastructure, where again you kind of end up downloading a malware. And those have been the two kind of primary infection vectors we've seen from the group. And there's been kind of one other that we saw once or twice back in February, but seems to have kind of been phased out again.

Dave Bittner: Despite all these changes, you point out that the campaigns still lead back to PlugX. Can you first of all describe what that is for folks who may not be familiar? And why do we think this is so persistent in their toolkit?

Mark Kelly: That's right. Yes, so despite all of these changes, we tend to see these ultimately delivering a custom backdoor known as PlugX. So this is a malware family that's been around for a long, long time now. It's Chinese in origin. It's been used by a lot of different China-aligned threat actors over the kind of past decade or so, really. But the interesting thing about TA416 is that they have kind of adopted it but customized it to such an extent that it's kind of pretty much unrecognizable from the standard PlugX of years ago. So they do continually kind of tweak it and adapt it and so on. And in terms of what it allows them to do, it's essentially a remote access Trojan. So they can use it to remotely control the computer, steal information, open a command shell and download files and exfiltrate files and so on. So pretty standard kind of commands within the actual payload. [ Music ]

Dave Bittner: We'll be right back. [ Music ] Well, this being 2026 and us being where we are these days, you note possible signs of large language model assistance in some of the components here. What in particular stood out?

Mark Kelly: That's right. So this was particularly kind of evident within the third infection vector that I kind of briefly mentioned earlier that we saw for a short period of time. They were using a particular kind of fairly unusual file format called C-Sharp project files. And these are basically used by software developers to help them compile code. But TA416 was essentially abusing this to download PlugX. But within those C-Sharp project files, they appeared to be kind of pretty clearly LLM-generated. So we saw the inclusion of comments that no normal malware developer would include, that was kind of describing what it was doing. And there was also kind of variations between different samples, different scripts that we saw, that was saying -- like, one would say, "Oh, this is the URL with the new endpoint. This is the URL revised again," and that kind of thing. So clearly kind of being iteratively changed likely via kind of a large language model.

Dave Bittner: Yeah, that's interesting. Now, let's talk about this Mustang Panda question. I think there's quite often confusion around the Mustang Panda label when it comes to attribution. Where does TA416 fit within that ecosystem of related groups?

Mark Kelly: That's right. Yes, so the joys of aliases within threat intelligence, I'm sure, is not lost on your listeners. And it can be kind of confusing sometimes. But from a vendor perspective and from someone who actually tracks and kind of uses our own telemetry to track these groups, we all have different visibility in terms of what they look like and kind of how we cluster them together. And from our perspective, what is often referred to as Mustang Panda publicly, for us, is two distinct groups. Well, predominantly two distinct groups. So TA416 is one of those groups. So we mostly see them, again, targeting European, Southeast Asian diplomats, government using PlugX, and so on. And then there is -- another cluster that we assess is likely distinct just based on using very different techniques, different targeting, different malware. And we do track them separately. I would kind of note that some other organizations track it as a single group, and there is some indication that there may be some sort of organizational link between the two. But from our perspective, from a behavioral standpoint, they kind of look completely different, and there's no way for us to reconcile that as being the same threat actor from our vantage point. So that's why we kind of cluster them separately.

Dave Bittner: I see. Looking at the bigger picture here, some of the implications of an operation like this, TA416's focus on the EU and NATO-linked diplomacy, their renewed focus on them. What does this suggest about where Beijing stands right now in terms of their intelligence priorities?

Mark Kelly: Yes, I think it's kind of indicative of a renewed focus on government organizations within Europe. It did seem to kind of coincide with this EU-China summit that happened back in July, as I mentioned, and we didn't really see a whole lot of them before that. And then, since then, we've seen quite a lot of them. So that seems to be the kind of correlation. But again, it's hard to, like, pinpoint exactly what has led to this shift back to Europe. The Middle East one was kind of a lot more obvious and straight cut, I think, given we'd never seen them there before, and then we were suddenly seeing them there right after the conflict began. So I think we can be a lot more confident in terms of our assessment in terms of the rationale for the group's shift in targeting them. But Europe is a little bit more -- we kind of have to put our thinking hats on a little bit more for that one, I think.

Dave Bittner: Do you suppose that organizations should interpret this activity as more opportunistic surveillance, or do we suspect this is something more strategic and possibly sustained?

Mark Kelly: I would expect this to be sustained. I mean, this is a threat actor that's been around for a long time now. They do shift targeting, as I mentioned, over time. But there has been some consistency. So I haven't really mentioned the group's activity in Asia, but they are basically kind of consistently active within Southeast Asia over probably a decade at this point. So very long periods of time. So it's not a group that's going to go away anytime soon. They do not target people opportunistically. So it is typically kind of purposeful, and they are doing it for a reason, likely based on some kind of tasking they are having from whoever they work for within the Chinese government. So there is definitely kind of methodical rationale for why they do what they do.

Dave Bittner: I see. Well, let's talk about some of the practical takeaways here for the defenders in our audience. What are your recommendations? What can they do to protect themselves against a threat like this?

Mark Kelly: Yes, so I think kind of starting from the email level and going on to the kind of more malware components. From the email level, it's kind of your standard recommendations around educating users on the risks of executing kind of code and clicking links that are potentially suspicious. Obviously, in this case, if they're using kind of compromised senders and linking to Microsoft infrastructure, it's probably unfair to expect a general user to be able to recognize that as phishing against them. But from kind of more technical controls, even though they do change these earlier standpoints, if kind of defenders can focus more on what comes later. So the actual malware has been pretty standard. They tend to use Microsoft shortcut files, which are pretty kind of common at the moment from a lot of different threat actors, but are detectable and are something that you can kind of build detections for. Similarly, looking at the actual malware being loaded. So they tend to use specific techniques, particularly things like DLL side-loading, which is a way that they can load their malware. And then looking at, again, the kind of network perspective. So once the malware is loaded on the computer, it's going to try and reach out to command and control infrastructure. So, proactively trying to track that infrastructure or engaging with organizations that are able to do that, and ensuring that if you do see networks or computers within your network trying to contact that command and control infrastructure that you're alerted, and you can kind of remediate it. So lots of different kind of steps there that a defenders can take, I think, based on the different aspects of the infection chain.

Dave Bittner: All right. Well, Mark, I think I have everything I need for our story here. Is there anything I missed, anything I haven't asked you that you think it's important to share?

Mark Kelly: One of the things that is interesting is their infrastructure choices and the way they buy expire legitimate domains. So often times they will use a formerly legitimate company that has gone out of business or, for some reason, let their domain expire. They will then buy that and use that for command and control for their malware families or for hosting -- tracking pixels within emails. And this is an interesting kind of choice because these tend to have higher reputation than if they were to just purchase a kind of new domain that's never been around before. And it also makes it a little bit harder to kind of detect their activity. They also hide these domains behind the Cloudflare content distribution network, again, to kind of obscure where their servers are. And that is something that's really developed over the last few years, and they've clearly kind of put a little bit of effort into trying to make their infrastructure harder to track. And the other interesting thing there is they usually put fake websites on those C2 domains as well. So if you were to visit them, it would just look like a kind of generic website, but in actual fact, it's a kind of domain that they own and that they use for C2. So that was one more kind of interesting thing that I've seen from this group.

Dave Bittner: How do you rate their sophistication?

Mark Kelly: I would say they're not necessarily the top end of sophistication, but they are very persistent and creative. And they're also willing to kind of consistently change and adapt their approach, even if the kind of core objective and TTPs do remain consistent over time. So it's definitely a group to keep an eye on and be wary of, particularly if you're within that kind of target set of theirs. So, particularly, embassies, diplomatic organizations, and so on should definitely be very aware of this group. [ Music ]

Dave Bittner: Our thanks to Mark Kelly from Proofpoint for joining us. The research is titled "I'd Come Running Back to EU Again: TA416 Resumes European Government Espionage Campaigns." We'll have a link in the show notes. And that is Research Saturday brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com. This episode was produced by Liz Stokes. We're mixed by Elliott Peltzman and Trey Hester. Our executive producers Jennifer Eiben. Peter Kilpe is our publisher, and I'm Dave Bittner. Thanks for listening. We'll see you back here next time. [ Music ]

Research Saturday
Podcast Info
HOST(S):
Dave Bittner
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Saturdays
Creator: N2K Networks, Inc.