China-Linked TA4922 Escalates Phishing Attacks Across Europe and South Africa
A newly identified cybercrime group, TA4922, with links to China, has significantly broadened its phishing operations, now targeting organizations in the United Kingdom, Germany, Italy, and South Africa. This expansion marks a notable shift from the group’s previous focus on East Asian entities.
TA4922 has demonstrated a rapid operational tempo, continually updating its malware arsenal. The group employs known malware families such as ValleyRAT (also known as Winos 4.0) and Atlas RAT (also referred to as AtlasCross RAT). Additionally, they have introduced previously undocumented tools named RomulusLoader and SilentRunLoader. These developments have been closely monitored by cybersecurity firm Proofpoint, which tracks TA4922’s activities.
Proofpoint describes TA4922 as a Chinese-speaking threat actor primarily targeting East Asia. The group shares some operational similarities with Silver Fox but is more focused on cybercriminal objectives than espionage. Their primary goal appears to be financial gain through remote access to victim environments, facilitating data theft, fraud, access resale, or maintaining persistent access. Proofpoint characterizes TA4922 as conducting more unique campaigns than any other threat actor it monitors.
In recent months, TA4922 has shifted its tactics, employing phishing campaigns with human resources and business-themed lures. These campaigns aim to steal credentials, commit fraud, and deliver malware, including Atlas RAT, RomulusLoader, and SilentRunLoader. A notable change in their strategy involves moving conversations from emails to out-of-band communication channels like LINE, WhatsApp, and Microsoft Teams. This approach allows the attackers to bypass enterprise security controls, facilitating data theft or malware delivery.
Several recent TA4922 phishing campaigns have been observed:
– March 6, 2026: Utilized human resources-related lures targeting Japanese organizations to deliver Atlas RAT via DLL side-loading.
– March 23, 2026: Employed corporate and human resources-themed lures against Japanese organizations, delivering a C-based loader called RomulusLoader through DLL side-loading.
– March 30, 2026: Used tax authority-related lures targeting organizations in the U.K. to deliver SilentRunLoader, a Python-based loader and stealer. This malware harvested sensitive data from Google Chrome, including stored credentials, cookies, and browsing information.
– April 2, 2026: Deployed human resources communication lures targeting organizations in the U.K. and Germany to deliver Atlas RAT via DLL side-loading.
– April 7, 2026: Utilized invoice-related lures against Japanese organizations to deliver Atlas RAT through DLL side-loading.
– April 10, 2026: Employed benefits and compliance-themed lures targeting organizations across Southeast Asia and the U.K. to deliver SilentRunLoader via DLL side-loading, exfiltrating Chrome data.
– Mid-April 2026: Used business and tax-related themes in attacks targeting organizations in Japan and Germany to deliver RomulusLoader. This loader was then used to deploy AnyDesk and SyncFuture via DLL side-loading.
While TA4922 is assessed to be financially motivated, the capabilities of their malware include potential surveillance functions. These could be utilized by or sold to espionage groups, adding another layer of complexity to their operations.
The global reach of TA4922 underscores the need for organizations worldwide to remain vigilant against emerging and complex threats. Such actors can rapidly expand and adapt their tactics to include more targets at any time.
