The spy who logged me in.

Proofpoint researcher Mark Kelly reports that China-linked APT TA416 has resumed large-scale spearphishing and PlugX malware campaigns targeting European governments, EU/NATO diplomatic missions, and Middle Eastern entities. The group has evolved tactics between mid-2025 and early 2026 — using fake Cloudflare verification pages, Microsoft OAuth redirect abuse, and malicious C# project files — reflecting shifting geopolitical priorities and continued intelligence-gathering focus.