CyberWire Daily The spy who logged me in. [Research Saturday]
6 snips
May 9, 2026 
Mark Kelly, Staff Threat Researcher at Proofpoint who tracks China-aligned espionage, discusses TA416's resurgence against European diplomatic and government targets. He covers tracking-pixel reconnaissance, phishing from compromised diplomatic mailboxes, evolving infection chains like fake CAPTCHA and OAuth abuse, Pivot to Middle East targets, and persistent PlugX backdoor use.
AI Snips
Chapters
Transcript
Episode notes
Diplomatic Networks Are Primary Targets
- TA416 focuses on diplomatic intelligence gathering rather than broad disruption.
- Mark Kelly notes targeting embassies and Ministries of Foreign Affairs across Europe to map foreign-policy and diplomatic networks.
Tracking Pixels Flag High-Value Targets
- TA416 uses tracking pixels for reconnaissance before deploying malware.
- Kelly describes tiny email-embedded images that signal when a target opens mail, flagging promising victims for follow-up spearphishing.
Compromised Diplomatic Mailboxes Amplify Credibility
- TA416 frequently reuses previously compromised diplomatic mailboxes to launch new campaigns.
- Mark Kelly explains this makes phishing far more convincing because targets trust government senders they've previously engaged with.