China-Linked TA416 Targets European Governments with PlugX and OAuth-Based Phishing

Friday, April 3, 2026 at 05:34 PM UTC·Source: The Hacker News

Updated: Friday, April 3, 2026 at 09:52 PM UTC

Executive Summary

A China-aligned threat actor has set its sights on European government and diplomatic organizations since mid-2025, following a two-year period of minimal targeting in the region. The campaign has been attributed to TA416, a cluster of activity that overlaps with DarkPeony, RedDelta, Red Lich, SmugX, UNC6384, and Vertigo Panda. "This TA416 activity included multiple

Analysis

Source Attribution

Originally published by The Hacker News on Apr 3, 2026.

Related Threats

LOWPhishing

12 cyber industry trends revealed at RSAC 2026

The 2026 RSA circus is over. The tents are packed and the elephants have been loaded onto the train. Nevertheless, it was an eventful week. There were fleets of vehicles — Escalades, Rivians, trucks but curiously, no Teslas — strewn with vendor names and tag lines, and you couldn’t walk anywhere near Howard Street in San Franciso without seeing, “AI-[insert word here like enabled, enhanced, native

15h agoCSO Online

MEDIUMPhishing

New Phishing Platform Used in Credential Theft Campaigns Against C-Suite Execs

A large-scale credential theft campaign targeting senior executives has been linked to a previously unknown automated phishing platform called Venom

16h agoInfosecurity Magazine

CRITICALPhishing

Yokogawa CENTUM VP

<a href="https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-092-02.json">View CSAF</a> <h2>Summary</h2> Successful exploitation of this vulnerability could allow an attacker to login as the PROG user and modify permissions. The following versions of Yokogawa CENTUM VP are affected: <ul> <li>CENTUM VP >=R5.01.00|</li>

CVE-2025-7741

1d agoCISA Advisories