TA4922 China-Linked Phishing Attack Expands to UK, Germany, Italy, and South Africa
A new cyber crime group with links to China known as TA4922 has expanded its focus to target European organizations in the UK, Germany, Italy and South Africa.
These efforts have been accompanied by an “aggressive operating environment” and an ongoing arsenal of malware that includes families known as ValleyRAT (aka Winos 4.0) and Atlas RAT (aka AtlasCross RAT), as well as undocumented tools called. RomulusLoader again SilentRunLoaderaccording to Proofpoint.
The corporate security firm is looking into the activity under the moniker TA4922, describing it as a Chinese-speaking threat actor with a focus on East Asia. TA4922 is being tested to share some degree of overlap with Silver Fox, and the threat actor’s trade is more focused on cybercrime purposes than espionage.
“The actor may be financially motivated and focused on gaining remote access to target areas for financial gain, such as data theft, fraud, resale, or continued access,” the company said, describing it as an adversary that runs “unique campaigns” than any other malicious actor it pursues.
In recent months, however, hacker-inspired attacks have relied on phishing campaigns using human resources- and corporate-themed traps for phishing, fraud, and malware delivery, including Atlas RAT, RomulusLoader, and SilentRunLoader.
Another notable change involves efforts to move conversations from emails to out-of-band communication channels such as LINE, WhatsApp, and Microsoft Teams, allowing attackers to bypass corporate security controls and steal data or deliver malware. Details of some of the recently spotted TA4922 phishing campaigns are below –
- March 6, 2026: Using human resources related exploits in attacks targeting Japanese organizations to deliver the Atlas RAT via DLL side-loading
- March 23, 2026: Business and human-themed bugs are used in attacks targeting Japanese organizations to deliver a C-based loader called RomulusLoader via DLL side-loading.
- March 30, 2026: Using hackers linked to the tax authority in an attack targeting UK organizations to deliver a vibe-coded Python-based loader and hack called SilentRunLoader, which releases an exploit to harvest sensitive data from Google Chrome including databases, cookies, and browsing information.
- April 2, 2026: Social networking exploits in attacks targeting organizations in the UK and Germany deliver the Atlas RAT via DLL side-loading
- April 7, 2026: Using attack-related invoices in an attack targeting Japanese organizations to deliver the Atlas RAT via DLL side-loading
- April 10, 2026: Leverage and compliance-themed bugs are used in attacks targeting organizations across Southeast Asia and the UK to deliver SilentRunLoader via a DLL that sideloads and extracts Chrome data
- Mid-April 2026: Business and tax-related themes are used in attacks targeting organizations in Japan and Germany to deliver RomulusLoader, which is then used to deploy AnyDesk and SyncFuture via DLL sideloading.
“Even if the actor is assessed as financially motivated, the malware’s capabilities include surveillance capabilities, which can be used or sold to espionage groups,” Proofpoint said. “The global nature of this actor shows how organizations must be aware of emerging and complex threats, no matter where they are targeted. These types of actors can grow quickly and scale their tactics to include multiple targets at any given time.”
