China-Linked Hackers Are Breaching European Governments — And It's Getting Worse

A new cyberespionage campaign linked to China is targeting European government networks using dangerous malware and sneaky phishing tactics. With AI speeding up attacks, experts warn the window to respond is shrinking fast.

Key Takeaways

• A Chinese cyberespionage group dubbed TA416 is actively targeting European government agencies.
• Hackers are combining PlugX malware with OAuth-based phishing to bypass traditional security.
• AI is drastically reducing response time, turning remote access into the fastest route to a breach.
• Zscaler's 2026 VPN Risk Report reveals a sharp rise in credential-based attacks during work-from-anywhere shifts.
• Organizations must adopt zero-trust models and multi-factor authentication to stay protected.

In This Article

• The Attack Unfolds: How Hackers Are Sneaking In
• Why OAuth Has Become a Hacker's Best Friend
• PlugX: The Malware That Never Leaves
• AI Is Supercharging Cyberattacks

The Attack Unfolds: How Hackers Are Sneaking In

Imagine getting an email that looks like it's from your IT department asking you to 'reauthorize' your access to a work app. You click, log in, and boom  you've just handed hackers the keys to your entire network. That's exactly what's happening across Europe.

• TA416, a cyber group tied to China, is using phishing emails that exploit OAuth  a login system many companies trust.
• Instead of stealing passwords, they trick users into granting access permissions to cloud apps like email and file storage.
• Once inside, they deploy PlugX, a powerful remote access tool that lets them spy, steal data, and move laterally across networks.

Why OAuth Has Become a Hacker's Best Friend

OAuth is supposed to make life easier  letting you sign into third-party apps using Google or Microsoft without sharing your password. But that convenience is now a major security blind spot.

• Hackers don't need your password anymore  just your permission to act on your behalf through legitimate-looking prompts.
• Because OAuth grants are often long-lived and broad in access, one click can give attackers persistent access.
• Security tools often miss these attacks since no credentials are stolen and traffic looks normal.

PlugX: The Malware That Never Leaves

While phishing gets the hacker in the door, PlugX is what lets them stay indefinitely. This malware has been around for years but is evolving fast.

• PlugX gives attackers full control: they can log keystrokes, grab screenshots, and download files without detection.
• It's modular, meaning it can adapt on the fly  downloading new tools depending on what the hackers need.
• It blends in by mimicking legitimate system processes, making it tough for antivirus software to catch.

AI Is Supercharging Cyberattacks

It's not just better malware  it's faster attacks. Thanks to AI, hackers can now launch and adapt campaigns in seconds, not days.

• AI automates the creation of convincing phishing messages tailored to specific targets, increasing success rates.
• The human response window has collapsed  what used to take hours to detect now needs to be caught in seconds.
• Zscaler's report warns that remote access systems, once convenient, are now the fastest path into corporate and government networks.

“The convergence of AI and remote access vulnerabilities has turned the traditional attack surface upside down.”

— Shivani Govil, Director of Threat Research, Zscaler

Final Thoughts

The days of relying on passwords and basic firewalls are over. As AI-powered threats like TA416 evolve, governments and businesses must shift to zero-trust frameworks, enforce strict app permissions, and continuously monitor for anomalous access  because the next breach might start with a single, innocent-looking click.

Sources & Credits

Originally reported by The Hacker News — The Hacker News