{ "id": "840c5500-1bb4-4c33-a7b2-368c14576bd4", "created_at": "2026-04-06T00:14:17.533916Z", "updated_at": "2026-04-10T03:35:32.817657Z", "deleted_at": null, "sha1_hash": "4e85d4f9f237cd518220c7f797ad312513a1c9ad", "title": "TA416: Activity, Techniques, \u0026 Targeting Explained | Proofpoint US", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2121904, "plain_text": "TA416: Activity, Techniques, \u0026 Targeting Explained | Proofpoint US\r\nBy March 07, 2022 Michael Raggi and Myrtus\r\nPublished: 2022-03-07 · Archived: 2026-04-02 11:39:01 UTC\r\n8/24 Editor’s Note: Since the publication, SMTP2Go has updated its security measures.\r\nKey Takeaways\r\nProofpoint researchers have identified ongoing activity by the China-aligned APT actor TA416 in which the group is\r\ntargeting European diplomatic entities, including an individual involved in refugee and migrant services.\r\nThis targeting is consistent with other activity reported by Proofpoint, showing an interest in refugee policies and\r\nlogistics across the APT actor landscape which coincides with increased tensions and now armed conflict between\r\nRussia and Ukraine.\r\nThe campaigns utilize web bugs to profile the victims before sending a variety of PlugX malware payloads via\r\nmalicious URLs.\r\nTA416 has recently updated its PlugX variant, changing its encoding method and expanding its configuration\r\ncapabilities.\r\nOverview\r\nSince 2020, Proofpoint researchers have observed TA416, an actor assessed to be aligned with the Chinese state, utilizing\r\nweb bugs to profile their targets. Commonly referred to as tracking pixels, web bugs embed a hyperlinked non-visible object\r\nwithin the body of an email that, when enabled, will attempt to retrieve a benign image file from an actor-controlled server.\r\nThis provides a “sign of life” to threat actors and indicates that the targeted account is valid with the user being inclined to\r\nopen emails that utilize social engineering content. TA416 has been using web bugs to target victims prior to delivering\r\nmalicious URLs that have installed a variety of PlugX malware payloads. The operational tempo of these campaigns,\r\nspecifically those against European governments, have increased sharply since Russian troops began amassing on the border\r\nof Ukraine.\r\nThe use of the web bug reconnaissance technique suggests TA416 is being more discerning about which targets the group\r\nchooses to deliver malware payloads. Historically, the group primarily delivered web bug URLs alongside malware URLs to\r\nconfirm receipt. In 2022, the group started to first profile users and then deliver malware URLs. This may be an attempt by\r\nTA416 to avoid having their malicious tools discovered and publicly disclosed. By narrowing the lens of targeting from\r\nbroad phishing campaigns to focus on targets that have proven to be active and willing to open emails, TA416 increases its\r\nchance of success when following up with malicious malware payloads.\r\nWhat’s In a Web Bug – Delivery in 2020 and 2021\r\nStarting in early November 2021, Proofpoint researchers identified web bug reconnaissance campaigns targeting European\r\ndiplomatic entities. Notably this activity aligned with the escalation of tensions between Russia, Ukraine, and, by extension,\r\nNATO member states in Europe. The emails first originated from a spoofed sender that impersonated a Meetings Services\r\nAssistant at the United Nations General Assembly Secretariat. Proofpoint did not observe these campaigns targeting the\r\nUnited Nations (UN), but did observe the targeting of diplomatic entities in Europe under the pretense of communicating\r\nwith the UN. The threat actor achieved this impersonation by utilizing the legitimate email marketing service SMTP2Go,\r\nwhich allows users to alter the envelope sender field while using a unique sender address generated by the service.\r\nTA416 has used SMTP2Go to impersonate various European diplomatic organizations since at least 2020. The threat actor\r\nin an August 2020 campaign impersonated the same Meetings Services Assistant at the UN General Assembly and again\r\ntargeted governmental entities in Europe. In this historical campaign, TA416 delivered a DropBox URL that delivered a\r\nPlugX variant aligning with Recorded Future’s analysis of \"Red Delta\" PlugX malware. Proofpoint assesses that there is\r\nsizeable overlap between the entities TA416 and the publicly disclosed group “Red Delta.” Both campaigns from August\r\n2020 and November 2021 targeted European diplomatic entities and utilized SMTP2Go to impersonate an external\r\ndiplomatic organization that may communicate with the end targets. Included below is a publicly available malicious Zip\r\nfile hash from August 2020 delivered via a DropBox URL which is attributable to TA416/Red Delta.\r\nAdvance version of the 2020 Report of the Secretary-General on Peacebuilding and Sustaining Peace .zip |\r\n0e3e47697539f1773fb53114ab53229c0304d86ed35aec05e5f5bfdf3bd35f9a\r\nhttps://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european\r\nPage 1 of 14\n\nFigure 1. TA416 August 2020 “Advance version of the 2020 Report of the Secretary-General on Peacebuilding and\r\nSustaining Peace” PDF decoy 54b491541376bda85ffb02b9bb40b9b5adba644f08b630fc1b47392625e1e60a.\r\nFrom Web Bugs to PlugX\r\nProofpoint researchers continued to identify web reconnaissance campaigns in November and December 2021 that utilized a\r\nrudimentary style of encoding and resource names. Fundamentally, a web bug URL includes infrastructure that hosts a\r\nbenign image file, several designations about the email campaign, which can include date and campaign name, and a unique\r\ndesignation for each individual user targeted in the email campaign. This allows a threat actor to validate which recipients\r\nreceived and opened the phishing email. TA416 web bugs appear rudimentary while demonstrating slight evolution over\r\ntime. The web bug URL structure began with an actor-controlled IP which retrieved jpg resources named after the email\r\naliases of the targeted victims from the actor-controlled servers. Proofpoint researchers next observed base64 encoded values\r\nof the entire email address.\r\nExample:\r\nhxxp://45.154.14[.]235/jdoe.jpg  \r\nhxxp://45.154.14[.]235/amRvZUBwcm9vZnBvaW50LmNvbQ==/328.jpg\r\nResearchers identified the same method of base64 encoded target emails, including in the web bug URL, consistently from\r\nAugust to November 2020 in TA416 campaigns that preceded the delivery of PlugX malware. On more than one occasion in\r\n2020, this web bug technique appeared in an email alongside a Dropbox URL that ultimately delivered the Trident Loader\r\nvariant of PlugX malware. Proofpoint, Avira, and Recorded Future have publicly attributed this installation technique to\r\nTA416/Red Delta. In the above referenced campaign from August 2020 in which TA416 impersonated UN personnel, the\r\nhttps://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european\r\nPage 2 of 14\n\nthreat actor utilized base64 encoded web bug resources representing targeted emails alongside the cloud hosted URLs that\r\ndelivered PlugX malware. Actor-controlled IPs observed during web bug reconnaissance campaigns during the November to\r\nDecember 2021 period included the IP 45.154.14[.]235.\r\nBeginning on January 17, 2022, Proofpoint researchers observed TA416 threat actors utilizing the IP address\r\n45.154.14[.]235 in phishing emails attempting to deliver a malicious Zip file to European Diplomatic entities. These entities\r\nhad previously received web bug URLs in phishing emails during the prior months. Rather than the emails delivering further\r\nreconnaissance URLs, this IP now attempted to deliver malicious Zip files. The phishing email also included a Dropbox\r\nURL attempting to deliver the same malicious archive file. Like historical TA416 campaigns, the Zip file had a\r\ngeopolitically themed title, which was shared with a PDF decoy that would be later downloaded as part of the infection\r\nchain. For example, the campaign on January 17, 2022 included the following Zip and PDF file titles:\r\nState_aid__Commission_approves_2022-2027_regional_aid_map_for_Greece.zip \r\nState_aid__Commission_approves_2022-2027_regional_aid_map_for_Greece.pdf\r\nFigure 2. TA416 January 2021 PDF decoy - EU adopts conclusions on EU priorities in UN human rights fora in 2022.zip.\r\nWhile historically TA416 has delivered Zip files from cloud hosting providers containing a decoy file, legitimate PE file, a\r\nDLL loader, and a PlugX malware configuration DAT file, recent campaigns used a different tactic. Proofpoint researchers\r\nnoted that the malicious Zip files delivered from DropBox now contain a rudimentary executable which is a dropper\r\nmalware. This malware establishes persistence for a legitimate executable file used in DLL search order hijacking, as well as\r\ninitiates the download of four components. These components are included below and resemble the components used in the\r\npast to install PlugX malware. Public research has previously documented TA416’s propensity for including PlugX Trident\r\nLoader components and decoy in the initial delivered Zip file. Actors in recent months use a more convoluted delivery\r\nchain, in which a PE dropper is used to retrieve the Trident Loader components from an actor-controlled resource. The\r\nmethod of installing PlugX via DLL Search Order hijacking that displays a PDF decoy remains constant.\r\nRequests Resulting from the Execution of Malware Dropper Executable\r\nPDF Decoy File\r\nhxxps://45.154.14[.]235/State_aid__Commission_approves_2022- 2027_regional_aid_map_for_Greece.pdf\r\nLegitimate PotPlayer PE file used in DLL Search Order Hijacking \r\nhxxps://45.154.14[.]235/PotPlayer.exe\r\nMalicious PlugX Malware Loader\r\nhxxps://45.154.14[.]235/PotPlayer.dll\r\nPlugX Malware Configuration Executed by DLL Search Order Hijacking\r\nhxxps://45.154.14[.]235/PotPlayerDB.dat\r\nMost recently on February 28, 2022, TA416 began using a compromised email address of a diplomat from a European\r\nNATO country to target a different country’s diplomatic offices. The targeted individual worked in refugee and migrant\r\nservices. The below URL was sent in a phishing email and delivered a compressed archive containing a PE dropper. This\r\nhttps://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european\r\nPage 3 of 14\n\ndropper similarly called out to an actor-controlled URL to deliver a decoy document and the components of an updated\r\nTrident Loader PlugX malware payload.\r\nhxxp://www.zyber-i[.]com/europa/2022.zip\r\nSituation at the EU borders with\r\nUkraine.zip|8a7fbafe9f3395272548e5aadeb1af07baeb65d7859e7a1560f580455d7b1fac \r\nSituation at the EU borders with\r\nUkraine.exe|effd63168fc7957baf609f7492cd82579459963f80fc6fc4d261fbc68877f5a1(Stage 1 Dropper)\r\nhxxp://103.107.104.19/2022/eu.docx (Decoy Document)\r\nhxxp://103.107.104.19/FontEDL.exe (PE Legit)\r\nhxxp://103.107.104.19/DocConvDll.dll (DLL Loader)\r\nhxxp://103.107.104.19/FontLog.dat (PlugX Encrypted Payload)\r\nCommunicates with C2\r\nhxxps://92.118.188[.]78/\r\nFigure 3. TA416 February 28, 2022 Word document decoy – eu.docx.\r\nA More Discerning Breed of TA416 PlugX Malware\r\nClose analysis of the delivered payloads and legitimate resources retrieved from URLs by the first stage malware dropper\r\nreveals that TA416 is once again using an updated version of PlugX malware to target their victims. Historically, the group\r\nhas relied on a variety of legitimate antivirus files, including the Avast file resource wsc_proxy.exe, to begin the process of\r\nDLL search order hijacking that results in PlugX malware installation. In the January 2022 campaigns, TA416 used the PE\r\nfile potplayermini.exe to initiate DLL search order hijacking. This is a legitimate executable file that is part of the publicly\r\navailable media player Daum PotPlayer 1.5.29825, which Mandiant has previously documented as being susceptible to\r\nsearch order hijacking since at least 2016. Numerous Chinese APT groups, which are not directly correlated to TA416, have\r\nutilized it since that time. This campaign leveraged the vulnerability of potplayermini.exe to load the file PotPlayer.dll which\r\ncontains an obfuscated launcher that in turn executes the file PotPlayerDB.dat. The file DocConvDll.dll has also\r\nintermittently been used as a loader of the PlugX DAT configuration files. For those that are familiar with TA416’s historic\r\ntactics, techniques, and procedures (TTPs), this is highly similar to the Trident Loader method which the group used to\r\ninstall PlugX in previous campaigns.\r\nWhile PotPlayerDB.dat is a variant of PlugX malware, TA416 has updated the payload by changing both its encoding\r\nmethod and expanding the payload’s configuration capabilities. Historically, TA416 relied on the DLL launcher to decode\r\nthe PlugX payload utilizing an XOR key included at the offset 0 within the PlugX DAT configuration file. In this case,\r\nTA416 has abandoned that approach in favor of something with less dependencies that is more convoluted. The latest\r\nversion contains obfuscation to thwart analysis. One of the main ways it does this is by resolving API functions during\r\nruntime. Generally, malware loads a DLL, iterates over the set of exports of the DLL and hashes the string, looking for a\r\nmatching hash. This iteration of PlugX does standard API hashing, but only to resolve the address of the functions\r\nGetProcAddress as well as LoadLibrary. Once those functions are resolved properly, it loads the rest of the functions via\r\ntheir text name.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european\r\nPage 4 of 14\n\nFigure 4. PlugX malware API hashing method.\r\nIn addition to this obfuscation attempt, most of the functions that contain the \"business logic\" of the malware are obfuscated\r\nwith a state machine. At a high level this obscures the order of which blocks are executed within a function. It does this by\r\nmaintaining a state variable with many comparisons in the function. After each block, the state variable is modified to\r\nwhatever the subsequent block should be, making analysis more difficult. This sample further implements anti-analysis\r\ntechniques via the malware’s design. After every iteration of the state machine, the malware sample will modify the state\r\nwith a XOR operation. This makes it difficult to analyze as the states are not hardcoded as the result of a function. This\r\ncontrol obfuscation is apparent below with the highly cyclical nature of the control flow graph.\r\nFigure 5. PlugX malware control flow graph.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european\r\nPage 5 of 14\n\nOnce researchers defeated the PlugX anti-analysis techniques, they were able to examine the malware’s configuration.\r\nNotably the configuration contained three additional fields that were not present in the previous versions nor in standard\r\nPlugX malware. The new version included:\r\nTwo hardcoded dates for latest write time used to filter over files within a specified directory.\r\nA minimum and maximum file size to filter over files within a specified directory.\r\nA format string that defaults to “public/Publics” that modifies characteristics of the folder and hide it from the\r\ninfected user.\r\nIn the past, when fields have been added to PlugX malware configurations they have persisted in future samples identified in\r\nsubsequent campaigns. Recently, this has not always proven to be true. In recent campaigns, a consistent and clear\r\nconfiguration that is repeated has not been present. The expansion of the malware’s configuration fields demonstrates that\r\nthis tool is undergoing additional development by TA416. Further, the type of added features that enable better filtering of\r\nvictim files for exfiltration and better concealment from the infected user demonstrates that the actor is going beyond anti-analysis to create a more functional and precise tool to use during intrusions. It also indicates the varying versions of the\r\nPlugX payload that are being used in a short period of time.\r\nCommand and Control\r\nThe January 2022 version of PlugX malware utilizes RC4 encryption along with a hardcoded key that is built dynamically.\r\nFor communications, the data is compressed then encrypted before sending to the command and control (C2) server and the\r\nsame process in reverse is implemented for data received from the C2 server. Below shows the RC4 key \"sV!e@T#L$PH%\"\r\nas it is being passed along with the encrypted data. The data is compressed and decompressed via LZNT1 and\r\nRtlDecompressBuffer. During the January 2022 campaigns, the delivered PlugX malware samples communicated with the\r\nC2 server 92.118.188[.]78 over port 187. In the February 2022 campaign, Proofpoint researchers observed a variation in\r\nwhich PlugX malware used an RC4 key that was sent to the bot in the first HTTP response which was then used to encrypt\r\ndata going to the C2 server.\r\nFigure 6. PlugX malware RC4 encryption key with encrypted data.\r\nA Rapid Pace of Malware Development\r\nIn response to historical disclosures detailing TA416 PlugX malware infection and encoding methods, the group appears to\r\nhave adopted a rapid rate of development for their PlugX payloads. While the distinctly TA416 installation method of a PE\r\ndropper retrieving Trident loaded payload components using a legitimate PE and a DLL loader file to load a PlugX payload\r\nremains constant, the components in this infection chain are regularly changing. The group uses different legitimate PE files\r\nto initiate sideloading, as well as a variety of PlugX DLL loaders including the PotPlayer and DocCon versions noted in this\r\npublication. TA416 also uses different variants of the final PlugX payload in which the communication routines are observed\r\nto be different when closely analyzed. Additionally, the payload DAT file decryption method has evolved regularly since the\r\nbeginning of 2022. Several observed decryption schemas and a sample configuration are included below with date ranges\r\ndetailing the evolution of observed PlugX payloads.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european\r\nPage 6 of 14\n\nFigure 7. 2020 - 2022 PlugX DAT file decryption.\r\nFigure 8. January 2022 – February 2022 PlugX DAT file decryption.\r\nFigure 9. Mid-February 2022 PlugX DAT file decryption.\r\nhttps://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european\r\nPage 7 of 14\n\nFigure 10. PlugX malware configuration sample.\r\nAttribution\r\nProofpoint researchers assess with high confidence that the operator identified in recent campaigns delivering PlugX\r\nmalware is the same as previously identified in 2020 as part of Recorded Future's Red Delta campaign. This assessment is\r\nbased on the use of the same email marketing service to deliver emails, the consistent impersonation of European diplomatic\r\nentities, the repetition of web bug patterns in the 2020, 2021, and 2022 campaigns, the consistent victimology observed\r\nbetween the campaigns, a nearly identical file naming structure observed between Zip and PDF decoy files, and the highly\r\nsimilar Trident Loader TTPs used for the execution of PlugX malware.\r\nTactic\r\n2020\r\nTA416 Campaigns\r\n2021 – 2022\r\nTA416 Campaigns\r\nSpoofing Via SMPT2Go\r\nImpersonation of UN Personnel\r\nRudimentary Base64 Web Bugs\r\nTrident Loaded PlugX\r\nhttps://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european\r\nPage 8 of 14\n\nPolitically Themed PDF Decoys\r\nShared Zip and PDF Decoy File Names\r\nTargeted European Diplomatic Entities\r\nFigure 11. Mapping TA416 TTPs over time.\r\nConclusion\r\nThe multiyear campaign against diplomatic entities in Europe suggests a consistent area of responsibility belonging to\r\nTA416. This mandate may have increased against entities in Europe during the current period of geopolitical conflict and\r\neconomic upheaval in Europe. While historically the phishing tactics and tools of this group have not been so thoroughly\r\nexplored, the consistent reliance on updating PlugX malware installation using the Trident Loader method belies a lack of\r\ninnovation on the part of TA416 following several major publications surrounding this actor. TA416 has chosen to\r\ncompensate for this lack of innovation with a greater tempo of variation. The group has proved to be pragmatic, making\r\nincremental and staggered changes to their PlugX toolkit rapidly and regularly altering a toolset it has used for the past\r\nnumber of years. Despite these variations, the group’s persistent targeting of a habitual target set paired with ingrained\r\nphishing tactics often leads to periodic discovery by threat researchers. Once TA416 reads this latest publication regarding\r\ntheir tactics, researchers at Proofpoint fully anticipate they will remain the metaphorical “Tubthumping” of the APT\r\nlandscape. Researchers can publish their tactics but will never keep them down.\r\nIndicators of Compromise (IOCs)  \r\nIOC\r\nhxxps://45.154.14[.]235/State_aid__Commission_approves_2022-2027_regional_aid_map_for_Greece.zip \r\nhxxps://www.dropbox[.]com/s/State_aid__Commission_approves_2022-2027_regional_aid_map_for_Greece.zip?dl=1 \r\nhxxps://www.dropbox[.]com/s/EU adopts conclusions on EU priorities in UN human rights fora in 2022.zip/?dl=1 \r\nhxxps://www.dropbox[.]com/s/EU%20adopts%20conclusions%20on%20EU%20priorities%20in%20UN%20human%20rights%20fora%20in%202022.\r\ndl=1 \r\nhxxps://uepspr[.]com/2023/EU%20adopts%20conclusions%20on%20EU%20priorities%20in%20UN%20human%20rights%20fora%20in%202022.zip \r\nhxxps://uepspr[.]com/2023/EU adopts conclusions on EU priorities in UN human rights fora in 2022.zip \r\nhttps://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european\r\nPage 9 of 14\n\nhxxps://www.dropbox[.]com/s/EU adopts conclusions on EU priorities in UN human rights fora in 2022.zip/?dl=1 \r\nhxxps://www.dropbox[.]com/s/EU%20adopts%20conclusions%20on%20EU%20priorities%20in%20UN%20human%20rights%20fora%20in%202022.\r\ndl=1 \r\nhxxps://uepspr[.]com/2023/EU%20adopts%20conclusions%20on%20EU%20priorities%20in%20UN%20human%20rights%20fora%20in%202022.zip \r\nhxxps://uepspr[.]com/2023/EU adopts conclusions on EU priorities in UN human rights fora in 2022.zip  \r\nhttps://upespr[.]com/Council conclusions on the European security situation.zip \r\nhxxps://45.154.14[.]235/mfa/Council%20conclusions%20on%20the%20European%20security%20situation.pdf \r\nhxxp://www.zyber-i[.]com/europa/2022.zip \r\nhxxps://69.90.184[.]125/lt/2023.rar \r\nCouncil conclusions on the European security situation.exe 6fd9d745faa77a58ac84a5a1ef360c7fc1e23b32d49ca9c3554a1edc4d7618\r\nState_aid__Commission_approves_2022-\r\n2027_regional_aid_map_for_Greece.exe\r\n5851043b2c040fb3dce45c23fb9f3e8aefff48e0438dec7141999062d46c59\r\nSituation at the EU borders with Ukraine.exe effd63168fc7957baf609f7492cd82579459963f80fc6fc4d261fbc68877f5a\r\nREGULATION OF THE EUROPEAN PARLIAMENT AND OF THE\r\nCOUNCIL.exe\r\nb2ff5535caa1d70c9d0d59cd68619b142858ae018064c891b4671154aa93a\r\nAdvance version of the 2020 Report of the Secretary-General on\r\nPeacebuilding and Sustaining Peace.pdf\r\n54b491541376bda85ffb02b9bb40b9b5adba644f08b630fc1b47392625e1e\r\nCouncil conclusions on the European security situation.pdf a4ff2c5913cce536759777acee3cfcc8824b927304c8a93ac64d37d1b01a57\r\nhttps://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european\r\nPage 10 of 14\n\nSituation at the EU borders with Ukraine.docx a07cece1fa9b3c813c0b6880b24a6494a9db83e138102da3bce30ebff51909\r\nREGULATION OF THE EUROPEAN PARLIAMENT AND OF THE\r\nCOUNCIL.pdf\r\n0c2f5b6fe538d088fed11ab10925210cb2eb782f471e6f09c484677e82fc5f2\r\nState_aid__Commission_approves_2022-\r\n2027_regional_aid_map_for_Greece.pdf\r\nec32ff0c049bd8812a35aeaaaae1f66eaf0ce8aefce535d142862ae89435c2e\r\nPotPlayer.exe 76da9d0046fe76fc28b80c4c1062b17852264348fd873b7dd781f39491f91\r\nFontEDL.exe 19870dd4d8c6453d5bb6f3b2beccbbbe28c6f280b6a7ebf5e0785ec386170\r\nPotPlayer.dll e1dbe58393268d7ddabd4bed0cdedf0fbba85d4c3ef1300580ed4c74e147aa\r\nDocConvDll.dll 436d5bf9eba974a6e97f6f5159456c642e53213d7e4f8c75db5275b66fedd8\r\nDocConvDll.dll a01f353c92afcd45b5731815c79f1e1d01366cefa75b41550a28d999857c5b\r\nPotPlayer.dll 472822c6bdc710175987eb7d9171f780c974a83ea2b26f117b748babb9b79\r\nPotPlayerDB.dat fac8de00f031299f6c698b34534d6523428b544aad6a40fdc4b000a04ee82e\r\nFontLog.dat 82df9817d0a8dca7491b0688397299943d9279e848cdc4a5446d3159d8d7\r\nFontLog.dat b9e330373b382beaf4f0bcce83d65f13399d42dc3e9fcdc7b4ef26fa893607\r\nPotPlayerDB.dat 03a836034360841fd6b99927c5b639d074e9fce4f16bd4f77ab57a9e5c12d\r\nhttps://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european\r\nPage 11 of 14\n\nhxxps://45.154.14[.]235/2023/PotPlayer.exe \r\nhxxps://45.154.14[.]235/2023/PotPlayer.dll \r\nhxxps://45.154.14[.]235/2023/PotPlayerDB.dat  \r\nhxxp://103.107.104[.]19/2022/eu.docx \r\nhxxp://103.107.104[.]19/FontEDL.exe  \r\nhxxp://103.107.104[.]19/DocConvDll.dll \r\nhxxp://103.107.104[.]19/FontLog.dat \r\nhxxps://69.90.184[.]125/lt/2022.pdf \r\nhxxps://69.90.184[.]125/lt/FontEDL.exe \r\nhxxps://69.90.184[.]125/lt/DocConvDll.dll \r\nhxxps://69.90.184[.]125/lt/FontLog.dat \r\nhxxps://45.154.14[.]235/State_aid__Commission_approves_2022-2027_regional_aid_map_for_Greece.pdf \r\nhxxps://45.154.14[.]235/PotPlayer.exe \r\nhttps://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european\r\nPage 12 of 14\n\nhxxps://45.154.14[.]235/PotPlayer.dll \r\nhxxps://45.154.14[.]235/PotPlayerDB.dat \r\nhxxp://upespr[.]com/PotPlayerDB.dat \r\nhxxp://upespr[.]com/State_aid__Commission_approves_2022-2027_regional_aid_map_for_Greece.pdf \r\nhxxp://upespr[.]com/PotPlayer.dll \r\nhxxp://upespr[.]com/PotPlayer.exe \r\nhxxps://45.154.14[.]235/State_aid__Commission_approves_2022-2027_regional_aid_map_for_Greece.pdf \r\nhxxps://45.154.14[.]235/PotPlayer.exe \r\nhxxps://45.154.14[.]235/PotPlayer.dll \r\nhxxps://45.154.14[.]235/PotPlayerDB.dat \r\n103.107.104[.]19 \r\n69.90.184[.]125 \r\n45.154.14[.]235 \r\nhttps://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european\r\nPage 13 of 14\n\nupespr[.]com \r\nwww.zyber-i[.]com \r\nhxxps://92.118.188[.]78 \r\nEmerging Threats Signatures\r\n2851112          ETPRO TROJAN ta416 Related PlugX Activity (POST)\r\nSource: https://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european\r\nhttps://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european\r\nPage 14 of 14\n\nhttps://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european \nFigure 7. 2020-2022 PlugX DAT file decryption. \nFigure 8. January 2022-February 2022 PlugX DAT file decryption.\nFigure 9. Mid-February 2022 PlugX DAT file decryption. \n Page 7 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "MITRE", "ETDA", "Malpedia" ], "references": [ "https://www.proofpoint.com/us/blog/threat-insight/good-bad-and-web-bug-ta416-increases-operational-tempo-against-european" ], "report_names": [ "good-bad-and-web-bug-ta416-increases-operational-tempo-against-european" ], "threat_actors": [ { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "b5449533-0ff1-4048-999d-7d4bfd8e6da6", "created_at": "2022-10-25T16:07:24.114365Z", "updated_at": "2026-04-10T02:00:04.869887Z", "deleted_at": null, "main_name": "RedDelta", "aliases": [ "Operation Dianxun", "TA416" ], "source_name": "ETDA:RedDelta", "tools": [ "Agent.dhwf", "Agentemis", "Chymine", "Cobalt Strike", "CobaltStrike", "Darkmoon", "Destroy RAT", "DestroyRAT", "Gen:Trojan.Heur.PT", "Kaba", "Korplug", "PlugX", "Poison Ivy", "RedDelta", "SPIVY", "Sogu", "TIGERPLUG", "TVT", "Thoper", "Xamtrav", "cobeacon", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434457, "ts_updated_at": 1775792132, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4e85d4f9f237cd518220c7f797ad312513a1c9ad.pdf", "text": "https://archive.orkl.eu/4e85d4f9f237cd518220c7f797ad312513a1c9ad.txt", "img": "https://archive.orkl.eu/4e85d4f9f237cd518220c7f797ad312513a1c9ad.jpg" } }