China-aligned threat actor TA416 (Mustang Panda/RedDelta) is actively exploiting legitimate Microsoft Entra ID OAuth flows, Azure Blob Storage, SharePoint, Google Drive, and Cloudflare Turnstile as delivery and C2 infrastructure in a PlugX espionage campaign targeting NATO diplomatic and European government organizations. CVE-2025-31324 (SAP NetWeaver, CVSS 10.0) appears in associated discovery context and warrants independent critical remediation for any organization running SAP NetWeaver regardless of TA416 attribution; CVE-2025-0994’s direct operational role is unconfirmed. Priority actions include auditing and restricting Entra ID OAuth application registrations, blocking MSBuild.exe execution on non-developer endpoints via WDAC, and applying SAP Security Note 3594142 immediately if NetWeaver is in scope.