Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

TA416 European government espionage campaign

Campaign
First reported
Last updated
Happening score
H score 52
2 unique sources, 2 articles

Summary

Hide ▲

TA416 has resumed cyber espionage activity, targeting European governments and EU/NATO diplomatic missions with a renewed malware-delivery operation that raises cross-border intelligence risk. The group repeatedly changed its infection chain, using Cloudflare Turnstile, OAuth redirects, and C# project files to deliver a customized PlugX backdoor. In March 2026, the operation expanded to Middle East diplomatic and government entities after conflict broke out in Iran.

Related Happenings

Webworm expanded European government and South Africa university espionage campaign

Campaign
First: 20.05.2026 14:30 Last: 20.05.2026 14:30 Sources 1

About this happening: Webworm expanded its **2025 espionage campaign** into **European government organizations** and a **university in South Africa**, widening the cross-region targeting risk. The ope...

Open Happening

Secret Blizzard Kazuar modular P2P botnet

Malware Activity
First: 16.05.2026 17:15 Last: 16.05.2026 17:15 Sources 1

About this happening: **Kazuar** is being used in a **multi-stage campaign in Ukraine** that ESET says likely involves **Gamaredon** providing access and **Turla/Secret Blizzard** delivering the backdo...

Open Happening

Shadow-Aether-040 AI-augmented campaign against Mexican government entities

Campaign
First: 13.05.2026 16:00 Last: 13.05.2026 16:00 Sources 1

About this happening: The **Shadow-Aether-040** campaign used **AI agents** and custom tooling to compromise **six government entities in Mexico**, increasing the risk of follow-on intrusion and **data...

Open Happening

FamousSparrow Azerbaijanian oil-and-gas targeting campaign

Campaign
First: 13.05.2026 16:00 Last: 13.05.2026 16:00 Sources 1

About this happening: The **China-linked FamousSparrow group** ran a **targeted cyberespionage campaign** against an **Azerbaijanian oil-and-gas company** in the **South Caucasus**, highlighting a new...

Open Happening

FamousSparrow multi-wave intrusion campaign against Azerbaijani oil and gas company

Campaign
First: 13.05.2026 16:00 Last: 13.05.2026 16:00 Sources 1

About this happening: A **China-affiliated** actor tracked as **FamousSparrow (UAT-9244)** ran a **multi-wave intrusion** against an **unnamed Azerbaijani oil and gas company** from **late December 202...

Open Happening

Timeline

  1. 03.04.2026 20:34 1 articles · 1mo ago

    TA416 expands espionage campaign to Middle Eastern government targets

    Campaign Scope Update

    TA416 expanded its espionage campaign to Middle Eastern government and diplomatic entities after the outbreak of the U.S.-Israel-Iran conflict in late February 2026, while linking to archives hosted on Google Drive or a compromised SharePoint instance to refine its PlugX delivery chain and collect regional intelligence.

    Show sources
    Open in new tab
  2. 01.04.2026 15:05 1 articles · 1mo ago

    Initial report: TA416 European government espionage campaign

    Initial Disclosure

    The renewed operation first surfaced in **mid-2025** with web-bug and malware-delivery activity aimed at **European government** targets. Early targeting centered on **EU and NATO diplomatic missions** before the campaign later widened.

    Show sources
    Open in new tab