A newly emerged cybercrime group, identified as **TA4922**, has been expanding its operations, with a particular focus on European organizations. This group, which has ties to China, is now targeting entities in countries such as the United Kingdom, Germany, Italy, and South Africa. The increase in their activities marks a significant shift in their operational strategies and geographical focus.
The activities of TA4922 have been described as exhibiting a “rapid operational tempo” and are supported by an evolving arsenal of malware tools. This arsenal includes well-known malware families such as ValleyRAT (also referred to as Winos 4.0) and Atlas RAT (also known as AtlasCross RAT). Additionally, the group has developed new, previously undocumented tools, namely **RomulusLoader** and **SilentRunLoader**. This information has come to light through research from Proofpoint, an enterprise security firm closely monitoring the group’s endeavors.
Proofpoint has categorized TA4922 as a Chinese-speaking threat actor that predominantly focuses on cybercriminal activities rather than state-sponsored espionage. Notably, it appears that TA4922 has some overlap with another hacker group known as **Silver Fox**; however, their methods are more concentrated on financial gain than intelligence gathering. The characterizations provided by Proofpoint suggest that the group is financially motivated, seeking to gain remote access to victim machines for various malicious intents, which include but are not limited to data theft, fraud, access resale, and maintaining persistent access to systems for further exploitation.
In recent months, the phishing campaigns launched by TA4922 have employed various human resources and business-related themes to lure potential victims. These deceptive tactics are designed to execute credential phishing, facilitate fraud, and distribute malware. Among the malware deployed in these campaigns are Atlas RAT, RomulusLoader, and SilentRunLoader. These shifts in tactics illustrate a sophisticated understanding of human behavior and corporate environments.
An alarming trend observed in the group’s operations is their strategy to transition communications from traditional email channels to other platforms such as LINE, WhatsApp, and Microsoft Teams. This approach allows TA4922 to circumvent enterprise security measures, making it easier for them to steal sensitive information or deliver additional malware. The intricacies of their campaigns are underscored by the following specific cases:
– **March 6, 2026**: The group targeted Japanese organizations with human resources-related lures that facilitated the delivery of Atlas RAT via DLL side-loading.
– **March 23, 2026**: Continuing their trend, TA4922 used corporate and HR themes in campaigns directed at Japanese entities to distribute a C-based loader, RomulusLoader, achieved again through DLL side-loading techniques.
– **March 30, 2026**: The organization employed tax authority impersonations in attacks against U.K.-based organizations, facilitating the delivery of a Python-based stealer, SilentRunLoader. This malware was capable of harvesting sensitive information from Google Chrome, including stored credentials and browsing history, by deploying an executable.
– **April 2, 2026**: A similar tactic was again observed as they targeted organizations in the U.K. and Germany using HR-themed lures to distribute Atlas RAT via DLL side-loading.
– **April 7, 2026**: The group attacked Japanese organizations using invoice-related content to deliver Atlas RAT through DLL side-loading.
– **April 10, 2026**: The organization penetrated entities across Southeast Asia and the U.K. by employing benefits- and compliance-related lures to release SilentRunLoader through DLL side-loading.
– **Mid-April 2026**: Finally, they utilized business and tax-related themes in attacks on organizations in Japan and Germany to deliver RomulusLoader, which was subsequently used to deploy remote access tools such as AnyDesk and SyncFuture.
According to Proofpoint, while TA4922 is primarily motivated by financial gain, their malware possesses capabilities that could facilitate surveillance activities. This dual-use aspect raises concerns that tools developed by TA4922 could also be sold or utilized by groups engaged in espionage.
Proofpoint emphasizes the global nature of the TA4922 threat, underscoring the necessity for organizations worldwide to remain vigilant against emerging cyber threats. As the landscape of cybercrime continues to evolve, it is crucial for entities to adapt and fortify their defenses against increasingly complex attacks that could arise from any geographic corner.