{"id":3686,"date":"2026-04-01T14:53:10","date_gmt":"2026-04-01T14:53:10","guid":{"rendered":"https:\/\/www.europesays.com\/europe\/3686\/"},"modified":"2026-04-01T14:53:10","modified_gmt":"2026-04-01T14:53:10","slug":"european-chinese-geopolitical-issues-drive-renewed-cyberespionage-campaign","status":"publish","type":"post","link":"https:\/\/www.europesays.com\/europe\/3686\/","title":{"rendered":"European-Chinese geopolitical issues drive renewed cyberespionage campaign"},"content":{"rendered":"<p>A Chinese cyberespionage group has shifted its gaze back to Europe after years of focusing on other parts of the world, Proofpoint research published Wednesday found.<\/p>\n<p>The surge began in mid-2025, with a bevy of issues bubbling up between China and Europe, <a href=\"https:\/\/www.proofpoint.com\/us\/blog\/threat-insight\/id-come-running-back-eu-again-ta416-resumes-european-government-espionage\" rel=\"nofollow noopener\" target=\"_blank\">the company said<\/a>. Proofpoint labels the government-linked group TA416, but other companies track it as Twill Typhoon, Mustang Panda or other names.<\/p>\n<p>\u201cThis renewed focus most heavily targeted individuals or mailboxes associated with diplomatic missions and delegations to NATO and the EU,\u201d Proofpoint\u2019s Mark Kelly and Georgi Mladenov wrote. \u201cTA416\u2019s return to European government targeting occurred during heightened EU\u2013China tensions over trade, the Russia\u2013Ukraine war, and rare earths exports, and commenced immediately following the 25th EU\u2013China summit.\u201d<\/p>\n<p>Separately, the same group took up targeting the Middle East in March after the start of the conflict in Iran, something it had never been spotted doing before, Proofpoint found.<\/p>\n<p>\u201cThis aligns with a trend observed by Proofpoint of some state-aligned threat actors shifting targeting toward Middle Eastern government and diplomatic entities in the aftermath of the war,\u201d the firm said. \u201cThis likely reflects an effort to gather regional intelligence on the status, trajectory, and broader geopolitical implications of the conflict.\u201d<\/p>\n<p>TA416 was active in Europe in 2022 and 2023, coinciding with the onset of the Ukraine-Russia war, but stepped away from the continent afterward, according to the researchers. Its focus turned to Southeast Asia, Taiwan and Mongolia for a couple years.<\/p>\n<p>The group\u2019s focus on Europe through early 2026 used a variety of web bug and malware delivery methods, including setting up reconnaissance by dangling lures about Europe sending troops to Greenland. It also included phishing emails about humanitarian concerns, interview requests and collaboration proposals, Proofpoint said.<\/p>\n<p>\u201cDuring this period, TA416 repeatedly altered its initial infection chains while maintaining a consistent goal of loading the group\u2019s customized PlugX backdoor via DLL sideloading triads,\u201d the researchers wrote.<\/p>\n<p>Proofpoint\u2019s is not the only report of late about Chinese cyberespionage groups targeting Europe, with <a href=\"https:\/\/www.taipeitimes.com\/News\/front\/archives\/2026\/03\/29\/2003854647\" rel=\"nofollow noopener\" target=\"_blank\">another focused<\/a> on LinkedIn solicitations to NATO and European institutions.<\/p>\n<p>\t\t\t\t\t<img decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/www.europesays.com\/europe\/wp-content\/uploads\/2026\/04\/Tim-Starks-01.jpg\" alt=\"Tim Starks\"\/><\/p>\n<p>\t\t\tWritten by Tim Starks<br \/>\n\t\t\tTim Starks is senior reporter at CyberScoop. His previous stops include working at The Washington Post, POLITICO and Congressional Quarterly. An Evansville, Ind. native, he&#8217;s covered cybersecurity since 2003. Email Tim here: <a href=\"https:\/\/cyberscoop.com\/european-chinese-geopolitical-issues-drive-renewed-cyberespionage-campaign\/mailto:tim.starks@cyberscoop.com\" rel=\"nofollow noopener\" target=\"_blank\">tim.starks@cyberscoop.com<\/a>.\t\t<\/p>\n","protected":false},"excerpt":{"rendered":"A Chinese cyberespionage group has shifted its gaze back to Europe after years of focusing on other parts&hellip;\n","protected":false},"author":2,"featured_media":3687,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[81,3792,4,15,40,303,30,3793,481,3794,16,750,28],"class_list":{"0":"post-3686","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-europe","8":"tag-china","9":"tag-cyberespionage","10":"tag-europe","11":"tag-european","12":"tag-european-union","13":"tag-iran","14":"tag-middle-east","15":"tag-mongolia","16":"tag-nato","17":"tag-proofpoint","18":"tag-russia","19":"tag-taiwan","20":"tag-ukraine"},"_links":{"self":[{"href":"https:\/\/www.europesays.com\/europe\/wp-json\/wp\/v2\/posts\/3686","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.europesays.com\/europe\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.europesays.com\/europe\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/europe\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/europe\/wp-json\/wp\/v2\/comments?post=3686"}],"version-history":[{"count":0,"href":"https:\/\/www.europesays.com\/europe\/wp-json\/wp\/v2\/posts\/3686\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.europesays.com\/europe\/wp-json\/wp\/v2\/media\/3687"}],"wp:attachment":[{"href":"https:\/\/www.europesays.com\/europe\/wp-json\/wp\/v2\/media?parent=3686"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.europesays.com\/europe\/wp-json\/wp\/v2\/categories?post=3686"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.europesays.com\/europe\/wp-json\/wp\/v2\/tags?post=3686"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}