Privacy Ninja

Chinese Phishing Actors Consistently Targeting EU Diplomats

Chinese Phishing Actors Consistently Targeting EU Diplomats

The China-aligned group tracked as TA416 (aka Mustang Panda) has been consistently targeting European diplomats since August 2020, with the most recent activity involving refreshed lures to coincide with the Russian invasion of Ukraine.

According to a new report by Proofpoint, TA416 spearheads cyber-espionage operations against the EU, consistently focusing on this long-term role without reaping opportunistic gains.

By keeping their tools and tactics essentially unchanged since 2020 and only refreshing their phishing themes and peripheral components, TA416 has made attribution simple for the analysts.

Also Read: Data Protection Authority GDPR: Everything You Need To Know

Timeline of activity

Starting in August 2020, the phishing actors impersonated EU-based organizations to target governments in the continent.

Email impersonating a UN agent
Email impersonating a UN agent (Proofpoint)

The malicious emails used a DropBox URL to deliver a variant of the PlugX malware, which was previously deployed in attacks against Australian organizations.

In November 2021, TA416 added hidden image trackers on emails to validate message openings and follow a more targeted approach in their campaign.

On January 17, 2022, Proofpoint noticed new delivery attempts involving ZIP files that were custom-named to match the target’s interests.

January 2022 phishing email
January 2022 phishing email (Proofpoint)

A change in tactic also occurred at this point, as the ZIP files weren’t fetched from a cloud hosting service but instead leveraged a dropper malware executable.

The four components downloaded this way were the PlugX malware, its loader, the DLL search order hijacker (process loader), and a PDF decoy file.

Also Read: The Top 10 Best And Trusted List Of Lawyers In Singapore

Finally, on February 28, 2022, the Chinese threat actors were spotted using a compromised diplomat’s address to target other top-ranking officials of NATO countries with lures involving the Russian invasion of Ukraine.

The most recent phishing lure linked to TA416
The most recent phishing lure linked to TA416 (Proofpoint)

The compromised person worked in refugee and migrant services, an area that was recently targeted by Belarusian hackers as well.

Superficial changes

While the tactics, malware drop, installation, and loading methods remain constant across campaigns, Mustang Panda puts some effort into regularly changing the components used.

“The group uses different legitimate PE files to initiate side-loading, as well as a variety of PlugX DLL loaders including the PotPlayer and DocCon versions,” elaborates the Proofpoint report.

“TA416 also uses different variants of the final PlugX payload in which the communication routines are observed to be different when closely analyzed.”

However, too many elements form a common ground between 2020, 2021, and 2022 campaigns, as reflected in the following table.

Common TA416 tactics throughout the years
Common TA416 tactics throughout the years (Proofpoint)

As Proofpoint’s report underlines in conclusion, these superficial variations will continue unabated, especially now that a fresh set of indicators of compromise has been published, so vigilance and good email security practices are advised to all potential targets.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us