Proofpoint exposes TA416's renewed espionage campaign deploying custom PlugX variants via OAuth redirects and Cloudflare Turnstile abuse against European governments and NATO missions. CERT-EU attributes the European Commission cloud hack to TeamPCP, confirming data from 30 Union entities was stolen and leaked by ShinyHunters. Microsoft Defender research details a stealthy new class of cookie-controlled PHP web shells that persist via cron jobs on Linux servers. Kaspersky discovers an evolved SparkCat variant on iOS and Android app stores using OCR to steal cryptocurrency wallet recovery phrases. Qilin ransomware group claims attack on German political party Die Linke. LinkedIn caught scanning 6,000+ Chrome extensions in "BrowserGate" privacy controversy.
TA416 (also tracked as RedDelta, DarkPeony, Vertigo Panda) is running multi-wave campaigns against EU and NATO diplomatic missions using evolving PlugX infection chains with OAuth redirect abuse and Cloudflare Turnstile exploitation.
Proofpoint researchers have published a comprehensive report on TA416, a China-aligned threat actor that has resumed active targeting of European government and diplomatic organizations after a two-year lull in the region.
The campaign overlaps with clusters tracked as DarkPeony, RedDelta, Red Lich, SmugX, UNC6384, and Vertigo Panda โ all associated with Chinese state-sponsored intelligence collection.
TA416 has been continuously rotating its techniques to evade detection:
Targets include diplomatic missions to the EU and NATO across multiple European countries, as well as government and diplomatic entities in the Middle East following the U.S.-Israel-Iran conflict in late February 2026. The group uses freemail sender accounts for both reconnaissance and payload delivery.
The campaign deploys bespoke PlugX variants via DLL side-loading โ the group's signature technique โ with payloads frequently updated to evade detection. Organizations in European government and diplomatic sectors should review email security controls, implement OAuth redirect restrictions, and hunt for PlugX indicators of compromise.
TeamPCP exploited a stolen AWS API key from the Trivy supply-chain attack to breach the European Commission's cloud environment. ShinyHunters leaked 90GB (340GB uncompressed) of documents containing names, email addresses, and email content from 30+ EU entities.
CERT-EU has formally attributed the European Commission cloud breach to the TeamPCP threat group, revealing the incident is far more damaging than initially disclosed.
| Date | Action |
|---|---|
| March 10 | TeamPCP uses stolen AWS API key (from Trivy supply-chain attack) to access Commission cloud accounts |
| March 10โ24 | Attacker deploys TruffleHog to discover additional secrets, creates new access key on existing user to evade detection |
| March 24 | Commission's SOC first detects anomalous activity โ 14 days after initial intrusion |
| March 25 | Commission notifies CERT-EU |
| March 27 | Public disclosure by Commission |
| March 28 | ShinyHunters publishes 90GB stolen dataset on dark web leak site |
This incident demonstrates the devastating chain reaction potential of supply-chain attacks on developer tools. A single compromised CI/CD component (Trivy GitHub Actions) led to API key theft, which led to cloud environment breach at the EU's highest executive body. Organizations should audit cloud credentials exposed through CI/CD pipelines and enforce short-lived, scoped API keys.
Threat actors are using HTTP cookies as a control channel for PHP web shells, making malicious traffic indistinguishable from normal web requests. Self-healing cron jobs ensure persistence even after removal.
The Microsoft Defender Security Research Team has published detailed analysis of a growing trend: PHP-based web shells on Linux servers that use HTTP cookies as their command-and-control channel rather than URL parameters or POST bodies.
Cookies blend seamlessly into normal web traffic โ they're present in every HTTP request, rarely inspected by WAFs looking for injection patterns, and available at runtime through PHP's $_COOKIE superglobal without additional parsing. This makes the shells essentially invisible during normal application execution, activating only when specific cookie values are present.
The most concerning aspect: attackers establish cron jobs that periodically re-create the PHP loader even if it's been detected and removed. This creates a persistent remote code execution channel that survives incident response cleanup โ the cron job simply regenerates the web shell on the next scheduled run.
Defenders should audit cron jobs on web-facing Linux servers, inspect cookie-based traffic patterns in web application logs, and implement file integrity monitoring on webroot directories.
An evolved SparkCat variant uses OCR to scan photo galleries for cryptocurrency wallet recovery phrases. Found in seemingly legitimate apps including enterprise messengers and food delivery services.
Kaspersky has discovered a new, more sophisticated version of SparkCat โ a trojan that hides inside benign-looking apps to scan users' photo galleries for cryptocurrency wallet seed phrase screenshots.
When granted gallery access (a normal permission for many apps), SparkCat uses an optical character recognition (OCR) model to analyze text in stored images. If it identifies wallet recovery phrases or seed words, the image is silently exfiltrated to attacker-controlled servers. The malware remains inactive until photo access is triggered by specific app scenarios.
Kaspersky attributes the campaign to a Chinese-speaking operator and notes the malware is actively evolving. Users should never screenshot wallet recovery phrases โ store them offline on paper or metal. Review app permissions regularly and use mobile security solutions.
The Qilin ransomware group has claimed responsibility for a March 27 attack on Die Linke (The Left), a German political party represented in the Bundestag through 64 members with 123,000 registered members.
Key details:
This follows a pattern of Russia-linked threat actors targeting German political parties โ in 2024, Mandiant uncovered APT29 targeting CDU with the WineLoader backdoor. German political organizations should treat themselves as high-value targets and implement robust backup and incident response capabilities.
A report dubbed "BrowserGate" by Fairlinked e.V. reveals that Microsoft's LinkedIn is using hidden JavaScript to scan visitors' browsers for 6,236 installed Chrome extensions and collect extensive device fingerprinting data.
BleepingComputer independently confirmed the JavaScript file with randomized filenames being loaded by LinkedIn's website. LinkedIn does not deny extension detection, claiming it's used to "protect the privacy of members" and detect scraping-related extensions. The report alleges LinkedIn uses this data to map which companies use which competitor products โ essentially building competitor customer lists from browser data.
This raises serious GDPR and ePrivacy questions in the EU. Users concerned about browser fingerprinting should consider browser profiles, extension compartmentalization, or Brave/Firefox with enhanced tracking protection.
Get daily security intelligence delivered with zero noise.
Explore KENSAI โKENSAI Security Briefing โ April 4, 2026
Compiled from Proofpoint, CERT-EU, Microsoft Defender Research, Kaspersky, BleepingComputer, The Hacker News, and Fairlinked e.V. intelligence feeds.