🛡️ InfoSec Blue Team Briefing

📰 Articles Covered

• I’d come running back to EU again: TA416 resumes European government espionage campaigns - The content posted on the URL is controlled by **Proofpoint**. The authors of the blog post are **Mark Kelly**, **Georgi Mladenov**, and the **Proofpoint Threat Research Team**. 🔍 Show Kagi Synopsis
  The cybersecurity article details the resurgence of **TA416**, a China-aligned threat actor, in conducting **espionage campaigns targeting European government and diplomatic entities** 【1】.
  
  **What Happened:**
  TA416 resumed its operations in mid-2025, launching multiple waves of attacks against EU and NATO diplomatic missions. These campaigns evolved significantly, employing sophisticated techniques such as fake Cloudflare Turnstile pages, Microsoft Entra ID OAuth redirects, and MSBuild/CSPROJ-based delivery mechanisms. The ultimate goal was to deploy a customized **PlugX backdoor** through DLL sideloading. By March 2026, the group expanded its targeting to include Middle Eastern diplomatic and government entities following the outbreak of the Iran war 【1】.
  
  **Who is Affected:**
  The primary targets have been **European government ministries and diplomatic missions** to the EU and NATO, including personnel within EU-NATO delegations. The scope later broadened to include **Middle Eastern diplomatic and government entities**. Victims are individuals associated with diplomatic missions, defense ministries, and foreign affairs departments. The attackers have utilized compromised accounts from various regions and free email services to distribute their phishing content 【1】.
  
  **Security Implications:**
  TA416's renewed activity highlights its **persistent and adaptable nature**, demonstrating the ability to resume focused operations on European diplomacy after periods of reduced activity. This indicates a continued effort to gather intelligence on European diplomatic activities. The group's use of diverse delivery methods and continuously updated command and control (C2) communication protocols showcases their advanced capabilities in evading detection and maintaining resilience. Furthermore, the observed overlaps with other threat actors like Vertigo Panda, RedDelta, and Red Lich suggest a broader ecosystem of shared tools and tactics 【1】.
  
  **Technical Details:**
  - **Delivery Vectors:** The campaigns utilized web bug tactics with fake Cloudflare Turnstile pages and malware delivery through compromised mailboxes and external accounts, leading to archives hosted on cloud storage services.
  - **Initial Access:** Techniques evolved from fake Cloudflare pages and LNK files to Microsoft Entra ID OAuth redirects for silent downloads and MSBuild/CSPROJ files for downloading payloads.
  - **PlugX Payload:** A customized loader was used to load PlugX into memory via DLL sideloading, with persistence achieved through registry run keys.
  - **C2 Communications:** Initially using RC4-encrypted payloads and SYSINFO beacons, the C2 protocol evolved to include rolling XOR obfuscation for fields, updated headers, and paths to evade detection.
  - **Infrastructure:** The group heavily relied on re-registered legitimate domains, Cloudflare CDN, and VPS providers like Evoxt, XNNET, and Kaopu 【1】.
  
  **What Defenders Should Know:**
  Defenders should anticipate **continued targeting of European diplomatic entities**, with a potential expansion to the Middle East. While the infection chains may evolve, the core objective remains the deployment of the PlugX backdoor. Key indicators of compromise include specific domains, email addresses, observed file names, and artifacts related to DLL sideloading. Relevant MITRE ATT&CK techniques include Phishing (T1566), Drive-by/URL-based delivery (T1185), DLL sideloading (T1574.001), and MSBuild/CSPROJ-based loading. Network indicators involve RC4-based C2 communications and the use of Cloudflare CDN. Defenders are advised to block the attack chain early by filtering OAuth redirect flows, detecting ZIP-smuggling patterns, monitoring for LNK-in-archive activity, and blocking TA416's infrastructure domains. Monitoring for PowerShell-based payloads and DLL sideloading indicators is also crucial 【1】.
• UAT-10608: Inside a large-scale automated credential harvesting operation targeting web applications - Cisco Talos 🔍 Show Kagi Synopsis
  A large-scale automated credential harvesting campaign, identified as **UAT-10608**, has been targeting public-facing web applications, particularly those built with **Next.js** and vulnerable to **CVE-2025-55182 (React2Shell)** 【1】. This campaign exploits a pre-authentication remote code execution vulnerability to compromise hosts 【1】.
  
  **What Happened:**
  The attackers are exploiting a vulnerability in Next.js applications to gain initial access. Once a host is compromised, a multi-phase automated script is deployed to harvest various sensitive credentials. These include SSH keys, cloud tokens, and environment secrets 【1】. The stolen data is then exfiltrated to a command and control (C2) infrastructure that utilizes a web-based GUI named "NEXUS Listener" for operators to view statistics and access the harvested information 【1】.
  
  **Who is Affected:**
  As of the report, **766 hosts** across multiple geographic regions and cloud providers have been compromised 【1】. The affected systems are primarily public-facing web applications, with a specific focus on those using Next.js and susceptible to the mentioned vulnerability 【1】.
  
  **Security Implications:**
  The security implications of this campaign are severe and multifaceted:
  - **Account Takeover:** Stolen credentials can lead to unauthorized access to various accounts and services 【1】.
  - **Lateral Movement:** Compromised SSH keys can facilitate extensive movement within compromised networks 【1】.
  - **Supply Chain Risks:** Tokens for package registries, if compromised, can introduce risks into the software supply chain 【1】.
  - **Data Breaches:** The harvesting of API keys (e.g., OpenAI, Stripe, SendGrid), cloud credentials (AWS/Azure), database connection strings, and Kubernetes service account tokens can result in significant data breaches, leading to reputational damage and regulatory penalties 【1】.
  
  **Technical Details:**
  The campaign leverages **CVE-2025-55182 (React2Shell)**, a pre-authentication remote code execution vulnerability, to compromise hosts 【1】. After gaining access, a multi-phase automated script is executed to collect:
  - Credentials
  - SSH keys
  - Cloud tokens
  - Environment secrets 【1】.
  The harvested data includes sensitive information such as API keys, AWS/Azure credentials, database connection strings with cleartext passwords, SSH private keys, and Kubernetes service account tokens 【1】. The C2 infrastructure uses a GUI called "NEXUS Listener" 【1】.
  
  **What Defenders Should Know:**
  Defenders are advised to take the following actions:
  - **Audit Code:** Audit `getServerSideProps` and `getStaticProps` functions for potential vulnerabilities 【1】.
  - **Enforce Prefixes:** Implement strict discipline regarding the `NEXT_PUBLIC_` prefix for environment variables 【1】.
  - **Rotate Credentials:** Immediately rotate credentials if any overlap with potentially compromised systems is suspected 【1】.
  - **Secure Cloud Environments:** Enforce **IMDSv2** on AWS and enable cloud provider secret scanning 【1】.
  - **Manage SSH Keys:** Segment SSH keys and ensure their security 【1】.
  - **Deploy Security Tools:** Implement Runtime Application Self-Protection (RASP) or Web Application Firewalls (WAF) 【1】.
  - **Audit Container Environments:** Audit container environments to ensure the principle of least privilege is enforced 【1】.
  - **Monitor for IOCs:** Be vigilant for indicators of compromise such as unexpected processes spawned from `/tmp/` with randomized names, `nohup` invocations not tied to known workflows, unusual outbound HTTP/S connections, and server-side secrets appearing in rendered HTML 【1】.
• European Commission cloud breach: a supply-chain compromise - The European Commission controls the content posted on the "europa.eu" website. 🔍 Show Kagi Synopsis
  On March 24, 2026, the European Commission's Cybersecurity Operations Centre detected alerts regarding potential misuse of Amazon APIs, account compromise, and an abnormal increase in network traffic. CERT-EU was notified on March 25, 2026. The incident is believed to have originated from a **Trivy supply-chain compromise**, attributed to a threat actor known as **TeamPCP** 【1】. This compromise allowed the threat actor to obtain an AWS secret (API key) on March 19, 2026, which granted them control over affiliated AWS accounts 【1】.
  
  **Who is affected:**
  The compromised AWS account is part of the technical infrastructure for the European Commission's public website platform, "europa.eu." The exfiltrated data pertains to websites hosted for up to **71 clients** of the Europa web hosting service, including **42 internal clients of the European Commission** and **at least 29 other Union entities** 【1】. The data extortion group **ShinyHunters** later published the stolen data on their dark web leak site 【1】.
  
  **Security Implications:**
  A significant volume of data, approximately **91.7 GB compressed**, was exfiltrated. This data includes **personal information** such as names, email addresses, and potentially the content of emails 【1】. The exposure of this data poses a risk of identity theft, phishing attacks, and social engineering attempts against individuals whose information was compromised 【1】. The incident highlights the significant threat posed by the rise in supply-chain compromises 【1】.
  
  **Technical Details:**
  The initial access was gained through a compromised version of Trivy, a software tool, which the European Commission unknowingly used through normal update channels 【1】. The threat actor used the stolen AWS secret to create a new access key, evade detection, and conduct reconnaissance. They also used a tool called TruffleHog to scan for secrets and validate AWS credentials 【1】. TeamPCP's tooling is designed to operate within CI/CD pipelines and exfiltrate secrets through various channels, including typosquatted domains and Cloudflare tunnels 【1】. The exfiltrated data includes personal data and at least 51,992 files related to outbound email communications 【1】.
  
  **What defenders should know:**
  Defenders should take immediate action to address the Trivy supply-chain compromise by updating to a known-safe version of Trivy, rotating all exposed AWS secrets and credentials, auditing Trivy versions in all environments, and pinning GitHub Actions to full SHA hashes. It is crucial to **audit and rotate AWS credentials**, especially those accessible from CI/CD pipelines, and review AWS CloudTrail logs for suspicious activity 【1】.
  
  In the short term, defenders should **restrict CI/CD pipeline access to cloud credentials** to the minimum required permissions and implement vendor risk management for CI/CD dependencies, including verifying signatures on tool updates and subscribing to security advisories. Implementing **behavioral monitoring for CI/CD environments** is also recommended to detect anomalous activity 【1】.
  
  Continuously, organizations must **enforce least privilege and credential hygiene**, regularly rotate credentials, and monitor for suspicious credential-related activity. Defenders should also **monitor for secondary exploitation of disclosed data** by being aware of potential targeted phishing or social engineering attempts. Maintaining robust **software update and vulnerability scanning practices** is essential to keep systems and tooling up to date and identify weaknesses 【1】.