TA416 ligado à China implanta PlugX contra alvos diplomáticos da UE & OTAN, violação da Comissão Europeia expõe 30 entidades, Microsoft revela Web Shells PHP controlados por cookies no Linux, SparkCat retorna
🕵️ TA416 Renews PlugX Espionage Campaign Against EU & NATO Diplomatic Targets
⚠️ HIGH — Active Chinese State-Sponsored Espionage Campaign Targeting European Governments
TA416 (also tracked as RedDelta, DarkPeony, Vertigo Panda) is running multi-wave campaigns against EU and NATO diplomatic missions using evolving PlugX infection chains with OAuth redirect abuse and Cloudflare Turnstile exploitation.
Proofpoint researchers have published a comprehensive report on TA416, a China-aligned threat actor that has resumed active targeting of European government and diplomatic organizations after a two-year lull in the region.
The campaign overlaps with clusters tracked as DarkPeony, RedDelta, Red Lich, SmugX, UNC6384, and Vertigo Panda — all associated with Chinese state-sponsored intelligence collection.
Infection Chain Evolution
TA416 has been continuously rotating its techniques to evade detection:
- Web bugs (tracking pixels) — embedded in emails to confirm targets opened messages before delivering payloads
- Cloudflare Turnstile challenge pages — abused to gate malware delivery behind human verification
- Microsoft OAuth redirect exploitation — using legitimate Microsoft Entra ID authorization endpoints to redirect victims to attacker-controlled domains
- C# project files — weaponized as novel delivery vectors
- Azure Blob Storage, Google Drive, and compromised SharePoint instances — for hosting malicious archives
Target Profile
Targets include diplomatic missions to the EU and NATO across multiple European countries, as well as government and diplomatic entities in the Middle East following the U.S.-Israel-Iran conflict in late February 2026. The group uses freemail sender accounts for both reconnaissance and payload delivery.
The campaign deploys bespoke PlugX variants via DLL side-loading — the group's signature technique — with payloads frequently updated to evade detection. Organizations in European government and diplomatic sectors should review email security controls, implement OAuth redirect restrictions, and hunt for PlugX indicators of compromise.
🇪🇺 CERT-EU: European Commission Cloud Hack Exposes Data from 30 Union Entities
⚠️ CRITICAL — 90GB of EU Commission Data Leaked on Dark Web
TeamPCP exploited a stolen AWS API key from the Trivy supply-chain attack to breach the European Commission's cloud environment. ShinyHunters leaked 90GB (340GB uncompressed) of documents containing names, email addresses, and email content from 30+ EU entities.
CERT-EU has formally attributed the European Commission cloud breach to the TeamPCP threat group, revealing the incident is far more damaging than initially disclosed.
Attack Chain
| Date | Action |
|---|---|
| March 10 | TeamPCP uses stolen AWS API key (from Trivy supply-chain attack) to access Commission cloud accounts |
| March 10–24 | Attacker deploys TruffleHog to discover additional secrets, creates new access key on existing user to evade detection |
| March 24 | Commission's SOC first detects anomalous activity — 14 days after initial intrusion |
| March 25 | Commission notifies CERT-EU |
| March 27 | Public disclosure by Commission |
| March 28 | ShinyHunters publishes 90GB stolen dataset on dark web leak site |
Scale of Impact
- 42 internal Commission clients and 29+ other Union entities using europa.eu hosting affected
- Tens of thousands of files stolen containing personal information, usernames, email addresses, and email content
- The breach originated from secrets stolen in the Trivy vulnerability scanner supply-chain attack — a cascading impact from developer tooling compromise
This incident demonstrates the devastating chain reaction potential of supply-chain attacks on developer tools. A single compromised CI/CD component (Trivy GitHub Actions) led to API key theft, which led to cloud environment breach at the EU's highest executive body. Organizations should audit cloud credentials exposed through CI/CD pipelines and enforce short-lived, scoped API keys.
🐚 Microsoft Details Cookie-Controlled PHP Web Shells Persisting via Cron on Linux
🟠 HIGH — Stealthy Web Shell Technique Evades Traditional Detection
Threat actors are using HTTP cookies as a control channel for PHP web shells, making malicious traffic indistinguishable from normal web requests. Self-healing cron jobs ensure persistence even after removal.
The Microsoft Defender Security Research Team has published detailed analysis of a growing trend: PHP-based web shells on Linux servers that use HTTP cookies as their command-and-control channel rather than URL parameters or POST bodies.
Why Cookies?
Cookies blend seamlessly into normal web traffic — they're present in every HTTP request, rarely inspected by WAFs looking for injection patterns, and available at runtime through PHP's $_COOKIE superglobal without additional parsing. This makes the shells essentially invisible during normal application execution, activating only when specific cookie values are present.
Three Implementation Variants Observed
- Multi-layer PHP loader — uses multiple obfuscation layers and runtime checks before parsing structured cookie input to execute an encoded secondary payload
- Segmented cookie reconstruction — splits operational components (file handling, decoding functions) across structured cookie data, conditionally writing secondary payloads to disk
- Single cookie trigger — uses a single cookie value as a marker to activate threat actor-controlled actions including command execution and file upload
Self-Healing Architecture
The most concerning aspect: attackers establish cron jobs that periodically re-create the PHP loader even if it's been detected and removed. This creates a persistent remote code execution channel that survives incident response cleanup — the cron job simply regenerates the web shell on the next scheduled run.
Defenders should audit cron jobs on web-facing Linux servers, inspect cookie-based traffic patterns in web application logs, and implement file integrity monitoring on webroot directories.
📱 SparkCat Crypto Wallet Stealer Returns to iOS and Android App Stores
🟠 HIGH — Malware Found in Official Apple App Store and Google Play
An evolved SparkCat variant uses OCR to scan photo galleries for cryptocurrency wallet recovery phrases. Found in seemingly legitimate apps including enterprise messengers and food delivery services.
Kaspersky has discovered a new, more sophisticated version of SparkCat — a trojan that hides inside benign-looking apps to scan users' photo galleries for cryptocurrency wallet seed phrase screenshots.
What's New
- Enhanced Android obfuscation — code virtualization and cross-platform programming languages to resist analysis
- Expanded keyword scanning — now targets Japanese, Korean, and Chinese keywords in addition to English
- iOS variant broader in scope — scans specifically for English mnemonic phrases, making it region-agnostic
- Two infected apps found on App Store, one on Google Play — primarily targeting cryptocurrency users in Asia
How It Works
When granted gallery access (a normal permission for many apps), SparkCat uses an optical character recognition (OCR) model to analyze text in stored images. If it identifies wallet recovery phrases or seed words, the image is silently exfiltrated to attacker-controlled servers. The malware remains inactive until photo access is triggered by specific app scenarios.
Kaspersky attributes the campaign to a Chinese-speaking operator and notes the malware is actively evolving. Users should never screenshot wallet recovery phrases — store them offline on paper or metal. Review app permissions regularly and use mobile security solutions.
🏛️ Qilin Ransomware Claims Attack on German Political Party Die Linke
The Qilin ransomware group has claimed responsibility for a March 27 attack on Die Linke (The Left), a German political party represented in the Bundestag through 64 members with 123,000 registered members.
Key details:
- Attackers are threatening to publish sensitive internal party data and personal employee information
- The party's membership database was not compromised — attackers failed to obtain member data
- Die Linke describes Qilin as "Russian-speaking cybercriminals" with both financial and political motivation
- The party stated the attack "does not appear to be coincidental", framing it as part of hybrid warfare
- On April 1, Qilin publicly listed Die Linke on their dark web leak site without publishing data samples
This follows a pattern of Russia-linked threat actors targeting German political parties — in 2024, Mandiant uncovered APT29 targeting CDU with the WineLoader backdoor. German political organizations should treat themselves as high-value targets and implement robust backup and incident response capabilities.
🔍 LinkedIn "BrowserGate" — Secretly Scanning 6,000+ Chrome Extensions
A report dubbed "BrowserGate" by Fairlinked e.V. reveals that Microsoft's LinkedIn is using hidden JavaScript to scan visitors' browsers for 6,236 installed Chrome extensions and collect extensive device fingerprinting data.
What LinkedIn Collects
- Extension detection — checks for 6,236 extensions by probing for extension-specific file resources (up from 2,000 in 2025)
- Device fingerprinting — CPU core count, available memory, screen resolution, timezone, language, battery status, audio information, storage features
- Competitive intelligence — over 200 scanned extensions directly compete with LinkedIn's sales tools (Apollo, Lusha, ZoomInfo)
BleepingComputer independently confirmed the JavaScript file with randomized filenames being loaded by LinkedIn's website. LinkedIn does not deny extension detection, claiming it's used to "protect the privacy of members" and detect scraping-related extensions. The report alleges LinkedIn uses this data to map which companies use which competitor products — essentially building competitor customer lists from browser data.
This raises serious GDPR and ePrivacy questions in the EU. Users concerned about browser fingerprinting should consider browser profiles, extension compartmentalization, or Brave/Firefox with enhanced tracking protection.
📋 Quick Hits
- Hims & Hers Data Breach: Telehealth giant warns of a data breach after ShinyHunters compromised Okta SSO accounts to access their Zendesk instance and steal millions of support tickets. Names, contact info, and support request details exposed.
- Insider Threat — Windows Device Lockout: A former core infrastructure engineer pleaded guilty to locking Windows admins out of 254 servers in a failed extortion plot against his employer in New Jersey.
- Microsoft Exchange Online Issues: Ongoing mailbox access problems continue affecting Outlook mobile and macOS users for weeks, with Microsoft still working on a resolution.
- Claude Code Malware Campaign: Fake GitHub repositories claiming to contain leaked Claude Code source are distributing Vidar infostealer malware — ranking highly in Google Search results to trap developers.
- Windows 11 25H2 Force Upgrade: Microsoft has begun force-upgrading unmanaged Windows 11 24H2 Home and Pro devices to 25H2 — IT teams should ensure Group Policy or Intune controls are in place.
🛡️ Recommended Actions
- European Government Orgs: Hunt for TA416/PlugX indicators of compromise. Restrict OAuth redirect flows and monitor for Cloudflare Turnstile abuse in phishing chains. Brief diplomatic staff on web bug and spearphishing techniques.
- Cloud Security: Audit all AWS API keys — especially those exposed through CI/CD pipelines and developer tools. Implement short-lived credentials, enforce MFA on cloud management accounts, and monitor for TruffleHog and similar credential-scanning tools.
- Linux Server Admins: Audit cron jobs on all web-facing servers for suspicious PHP loader invocations. Implement file integrity monitoring on webroots. Inspect HTTP cookie patterns in web server logs for anomalous structured data.
- Cryptocurrency Users: Never screenshot wallet recovery phrases — use offline storage only. Review app permissions on iOS and Android. Remove unfamiliar apps that request gallery access. Use mobile security solutions.
- German Organizations: Political parties and government entities should treat themselves as high-priority ransomware targets. Ensure offline backups, incident response plans, and employee security awareness training are current.
- Privacy-Conscious Users: Use separate browser profiles for LinkedIn. Consider extension compartmentalization or browsers with enhanced tracking protection to mitigate fingerprinting.
KENSAI Briefing de Segurança — 4 de abril de 2026
Compiled from Proofpoint, CERT-EU, Microsoft Defender Research, Kaspersky, BleepingComputer, The Hacker News, Fairlinked e.V.