Security Briefing April 4, 2026 ยท 9 min read

China-Linked TA416 Deploys PlugX Against EU & NATO Diplomatic Targets, European Commission Breach Exposes 30 Union Entities, Microsoft Uncovers Cookie-Controlled PHP Web Shells on Linux, SparkCat Crypto Wallet Stealer Returns to App Stores

Proofpoint exposes TA416's renewed espionage campaign deploying custom PlugX variants via OAuth redirects and Cloudflare Turnstile abuse against European governments and NATO missions. CERT-EU attributes the European Commission cloud hack to TeamPCP, confirming data from 30 Union entities was stolen and leaked by ShinyHunters. Microsoft Defender research details a stealthy new class of cookie-controlled PHP web shells that persist via cron jobs on Linux servers. Kaspersky discovers an evolved SparkCat variant on iOS and Android app stores using OCR to steal cryptocurrency wallet recovery phrases. Qilin ransomware group claims attack on German political party Die Linke. LinkedIn caught scanning 6,000+ Chrome extensions in "BrowserGate" privacy controversy.


๐Ÿ•ต๏ธ TA416 Renews PlugX Espionage Campaign Against EU & NATO Diplomatic Targets

โš ๏ธ HIGH โ€” Active Chinese State-Sponsored Espionage Campaign Targeting European Governments

TA416 (also tracked as RedDelta, DarkPeony, Vertigo Panda) is running multi-wave campaigns against EU and NATO diplomatic missions using evolving PlugX infection chains with OAuth redirect abuse and Cloudflare Turnstile exploitation.

Proofpoint researchers have published a comprehensive report on TA416, a China-aligned threat actor that has resumed active targeting of European government and diplomatic organizations after a two-year lull in the region.

The campaign overlaps with clusters tracked as DarkPeony, RedDelta, Red Lich, SmugX, UNC6384, and Vertigo Panda โ€” all associated with Chinese state-sponsored intelligence collection.

Infection Chain Evolution

TA416 has been continuously rotating its techniques to evade detection:

Target Profile

Targets include diplomatic missions to the EU and NATO across multiple European countries, as well as government and diplomatic entities in the Middle East following the U.S.-Israel-Iran conflict in late February 2026. The group uses freemail sender accounts for both reconnaissance and payload delivery.

The campaign deploys bespoke PlugX variants via DLL side-loading โ€” the group's signature technique โ€” with payloads frequently updated to evade detection. Organizations in European government and diplomatic sectors should review email security controls, implement OAuth redirect restrictions, and hunt for PlugX indicators of compromise.


๐Ÿ‡ช๐Ÿ‡บ CERT-EU: European Commission Cloud Hack Exposes Data from 30 Union Entities

โš ๏ธ CRITICAL โ€” 90GB of EU Commission Data Leaked on Dark Web

TeamPCP exploited a stolen AWS API key from the Trivy supply-chain attack to breach the European Commission's cloud environment. ShinyHunters leaked 90GB (340GB uncompressed) of documents containing names, email addresses, and email content from 30+ EU entities.

CERT-EU has formally attributed the European Commission cloud breach to the TeamPCP threat group, revealing the incident is far more damaging than initially disclosed.

Attack Chain

DateAction
March 10TeamPCP uses stolen AWS API key (from Trivy supply-chain attack) to access Commission cloud accounts
March 10โ€“24Attacker deploys TruffleHog to discover additional secrets, creates new access key on existing user to evade detection
March 24Commission's SOC first detects anomalous activity โ€” 14 days after initial intrusion
March 25Commission notifies CERT-EU
March 27Public disclosure by Commission
March 28ShinyHunters publishes 90GB stolen dataset on dark web leak site

Scale of Impact

This incident demonstrates the devastating chain reaction potential of supply-chain attacks on developer tools. A single compromised CI/CD component (Trivy GitHub Actions) led to API key theft, which led to cloud environment breach at the EU's highest executive body. Organizations should audit cloud credentials exposed through CI/CD pipelines and enforce short-lived, scoped API keys.


๐Ÿš Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux

๐ŸŸ  HIGH โ€” Stealthy Web Shell Technique Evades Traditional Detection

Threat actors are using HTTP cookies as a control channel for PHP web shells, making malicious traffic indistinguishable from normal web requests. Self-healing cron jobs ensure persistence even after removal.

The Microsoft Defender Security Research Team has published detailed analysis of a growing trend: PHP-based web shells on Linux servers that use HTTP cookies as their command-and-control channel rather than URL parameters or POST bodies.

Why Cookies?

Cookies blend seamlessly into normal web traffic โ€” they're present in every HTTP request, rarely inspected by WAFs looking for injection patterns, and available at runtime through PHP's $_COOKIE superglobal without additional parsing. This makes the shells essentially invisible during normal application execution, activating only when specific cookie values are present.

Three Implementation Variants Observed

  1. Multi-layer PHP loader โ€” uses multiple obfuscation layers and runtime checks before parsing structured cookie input to execute an encoded secondary payload
  2. Segmented cookie reconstruction โ€” splits operational components (file handling, decoding functions) across structured cookie data, conditionally writing secondary payloads to disk
  3. Single cookie trigger โ€” uses a single cookie value as a marker to activate threat actor-controlled actions including command execution and file upload

Self-Healing Architecture

The most concerning aspect: attackers establish cron jobs that periodically re-create the PHP loader even if it's been detected and removed. This creates a persistent remote code execution channel that survives incident response cleanup โ€” the cron job simply regenerates the web shell on the next scheduled run.

Defenders should audit cron jobs on web-facing Linux servers, inspect cookie-based traffic patterns in web application logs, and implement file integrity monitoring on webroot directories.


๐Ÿ“ฑ SparkCat Crypto Wallet Stealer Returns to iOS and Android App Stores

๐ŸŸ  HIGH โ€” Malware Found in Official Apple App Store and Google Play

An evolved SparkCat variant uses OCR to scan photo galleries for cryptocurrency wallet recovery phrases. Found in seemingly legitimate apps including enterprise messengers and food delivery services.

Kaspersky has discovered a new, more sophisticated version of SparkCat โ€” a trojan that hides inside benign-looking apps to scan users' photo galleries for cryptocurrency wallet seed phrase screenshots.

What's New

How It Works

When granted gallery access (a normal permission for many apps), SparkCat uses an optical character recognition (OCR) model to analyze text in stored images. If it identifies wallet recovery phrases or seed words, the image is silently exfiltrated to attacker-controlled servers. The malware remains inactive until photo access is triggered by specific app scenarios.

Kaspersky attributes the campaign to a Chinese-speaking operator and notes the malware is actively evolving. Users should never screenshot wallet recovery phrases โ€” store them offline on paper or metal. Review app permissions regularly and use mobile security solutions.


๐Ÿ›๏ธ Qilin Ransomware Claims Attack on German Political Party Die Linke

The Qilin ransomware group has claimed responsibility for a March 27 attack on Die Linke (The Left), a German political party represented in the Bundestag through 64 members with 123,000 registered members.

Key details:

This follows a pattern of Russia-linked threat actors targeting German political parties โ€” in 2024, Mandiant uncovered APT29 targeting CDU with the WineLoader backdoor. German political organizations should treat themselves as high-value targets and implement robust backup and incident response capabilities.


๐Ÿ” LinkedIn "BrowserGate" โ€” Secretly Scanning 6,000+ Chrome Extensions

A report dubbed "BrowserGate" by Fairlinked e.V. reveals that Microsoft's LinkedIn is using hidden JavaScript to scan visitors' browsers for 6,236 installed Chrome extensions and collect extensive device fingerprinting data.

What LinkedIn Collects

BleepingComputer independently confirmed the JavaScript file with randomized filenames being loaded by LinkedIn's website. LinkedIn does not deny extension detection, claiming it's used to "protect the privacy of members" and detect scraping-related extensions. The report alleges LinkedIn uses this data to map which companies use which competitor products โ€” essentially building competitor customer lists from browser data.

This raises serious GDPR and ePrivacy questions in the EU. Users concerned about browser fingerprinting should consider browser profiles, extension compartmentalization, or Brave/Firefox with enhanced tracking protection.


๐Ÿ“‹ Quick Hits


๐Ÿ›ก๏ธ Recommended Actions

  1. European Government Orgs: Hunt for TA416/PlugX indicators of compromise. Restrict OAuth redirect flows and monitor for Cloudflare Turnstile abuse in phishing chains. Brief diplomatic staff on web bug and spearphishing techniques.
  2. Cloud Security: Audit all AWS API keys โ€” especially those exposed through CI/CD pipelines and developer tools. Implement short-lived credentials, enforce MFA on cloud management accounts, and monitor for TruffleHog and similar credential-scanning tools.
  3. Linux Server Admins: Audit cron jobs on all web-facing servers for suspicious PHP loader invocations. Implement file integrity monitoring on webroots. Inspect HTTP cookie patterns in web server logs for anomalous structured data.
  4. Cryptocurrency Users: Never screenshot wallet recovery phrases โ€” use offline storage only. Review app permissions on iOS and Android. Remove unfamiliar apps that request gallery access. Use mobile security solutions.
  5. German Organizations: Political parties and government entities should treat themselves as high-priority ransomware targets. Ensure offline backups, incident response plans, and employee security awareness training are current.
  6. Privacy-Conscious Users: Use separate browser profiles for LinkedIn. Consider extension compartmentalization or browsers with enhanced tracking protection to mitigate fingerprinting.

Stay Ahead of the Threat Curve

Get daily security intelligence delivered with zero noise.

Explore KENSAI โ†’

KENSAI Security Briefing โ€” April 4, 2026
Compiled from Proofpoint, CERT-EU, Microsoft Defender Research, Kaspersky, BleepingComputer, The Hacker News, and Fairlinked e.V. intelligence feeds.