China‑Linked TA416 Conducts PlugX Malware and OAuth Phishing Campaign Against European Government Entities
What Happened — Since mid‑2025, the China‑aligned threat group TA416 (also known as DarkPeony, RedDelta, etc.) has launched a focused intrusion campaign against European government and diplomatic networks. The operation combines PlugX remote‑access malware with sophisticated OAuth‑based phishing to harvest credentials and establish persistent footholds.
Why It Matters for TPRM —
- State‑level actors targeting public‑sector suppliers can expose downstream vendors to credential theft and supply‑chain compromise.
- OAuth abuse bypasses traditional password‑based defenses, highlighting gaps in identity‑centric security controls.
- Persistent PlugX implants can be leveraged to pivot into third‑party services, increasing the attack surface for all ecosystem partners.
Who Is Affected — Government ministries, diplomatic missions, and any third‑party vendors that provide cloud, identity, or communications services to these entities.
Recommended Actions —
- Review all third‑party contracts for OAuth implementation standards and enforce MFA.
- Conduct credential‑use monitoring for anomalous token requests from external applications.
- Validate that any vendor‑supplied remote‑access tools (e.g., RDP, VPN) are hardened against PlugX‑style payloads.
Technical Notes — The campaign uses malicious OAuth consent flows to trick users into granting access tokens to attacker‑controlled applications. Once obtained, the tokens enable silent authentication and download of the PlugX RAT, which provides command‑and‑control, file exfiltration, and lateral movement capabilities. No specific CVE is cited, but the technique aligns with known OAuth abuse patterns. Source: The Hacker News