Emerging ThreatsMalware & Ransomware

China-Linked TA4922 Expands Phishing Attacks Globally

Analyst 207||Source: TheHackerNews
Laptop on a cluttered office desk with papers and supplies nearby.

"The actor is likely financially motivated and focused on obtaining remote access to victim environments for financial gain, such as data theft, fraud, access resale, or persistent access," Proofpoint said.

Proofpoint flags rapid expansion and evolving tradecraft

Proofpoint, the enterprise security company tracking the activity as TA4922, reports that the China-linked group has broadened its targeting beyond East Asia to include organizations in the U.K., Germany, Italy, and South Africa. The company described the campaign pace as a "rapid operational tempo" and said the actor conducts "more unique campaigns" than any other threat actor it tracks. Proofpoint assesses TA4922 as a Chinese-speaking threat actor with some overlap with Silver Fox, and characterizes its tradecraft as more focused on cybercriminal objectives than espionage.

Malware families: known RATs and newly observed loaders

TA4922's arsenal includes established remote-access trojans and previously undocumented tools. Proofpoint lists ValleyRAT (also called Winos 4.0) and Atlas RAT (also called AtlasCross RAT) among the known families used. Newer tools observed in the campaigns include RomulusLoader and SilentRunLoader. Proofpoint warns that although the actor is assessed as financially motivated, "the capabilities of the malware include the potential for surveillance, which could be used by or sold to espionage groups."

Phishing, DLL side‑loading, and out‑of‑band communications

The actor's recent campaigns have relied heavily on phishing using human-resources and business-themed lures to collect credentials, commit fraud, and deliver malware. Delivery has frequently employed DLL side-loading to load Atlas RAT, RomulusLoader, and SilentRunLoader into victim environments. In parallel, TA4922 has attempted to move conversations off email and onto messaging platforms such as LINE, WhatsApp, and Microsoft Teams—an operational choice Proofpoint says allows attackers to "bypass enterprise security controls and steal data or deliver malware."

Campaign timeline and technical specifics

  • March 6, 2026 — Human-resources lures targeting Japanese organizations delivered Atlas RAT via DLL side-loading.
  • March 23, 2026 — Corporate- and human-resources-themed lures targeting Japanese organizations delivered a C-based loader called RomulusLoader via DLL side-loading.
  • March 30, 2026 — Tax authority-themed lures targeting organizations in the U.K. delivered a vibe-coded Python-based loader and stealer called SilentRunLoader, which then dropped an executable to harvest sensitive data from Google Chrome including stored credentials, cookies, and browsing information.
  • April 2, 2026 — Human-resources communication lures targeting organizations in the U.K. and Germany delivered Atlas RAT via DLL side-loading.
  • April 7, 2026 — Invoice-related lures targeting Japanese organizations delivered Atlas RAT via DLL side-loading.
  • April 10, 2026 — Benefits- and compliance-themed lures targeting organizations across Southeast Asia and the U.K. delivered SilentRunLoader via DLL side-loading to exfiltrate Chrome data.
  • Mid‑April 2026 — Business- and tax-related themes targeting organizations in Japan and Germany delivered RomulusLoader, which was used to deploy AnyDesk and SyncFuture via DLL side-loading.

What this means for technologists, affected enterprises, and end users

  • Technologists and security teams: Expect continued use of DLL side-loading and modular loaders like RomulusLoader and SilentRunLoader; detection and response should include monitoring for anomalous DLL loads, Python-based stealer behavior, and credential-exfiltration patterns from Chrome.
  • Affected enterprises and procurement leaders: The actor's shift to European and South African targets underscores the need to vet third-party communications and to consider controls for out-of-band channels such as LINE, WhatsApp, and Microsoft Teams that attackers are using to bypass email protections.
  • End users and general staff: Human-resources, tax, invoice, benefits, and compliance themes remain the favored lures; vigilance around unexpected requests for credentials or shifting a conversation from email to messaging apps is warranted.

TA4922's profile in Proofpoint's reporting is notable for two linked traits: an emphasis on financially motivated access that can be converted directly into profit, and a rapidly evolving toolset that blurs the line between crimeware and surveillance-capable software. That duality—criminal intent with surveillance-capable tooling—frames a practical risk for any organization that relies on Chrome-stored credentials or that permits unfettered use of external messaging platforms for business communications.

Proofpoint's findings leave a clear operational question for defenders: as TA4922 continues to scale geographically and refine delivery techniques, will defenders close the detection gaps around DLL side-loading and out-of-band messaging before the actor converts access into fraud, resale of access, or persistent intrusions?

Original reporting: https://thehackernews.com/2026/06/china-linked-ta4922-expands-phishing.html

Data TheftEmerging ThreatsNation-StateRemote AccessThreat IntelligenceFinancially Motivated Threat ActorPhishing AttacksGlobal ThreatsTA4922China-Linked Threat Actor
Related Intelligence

Continue Reading

Security expert standing in front of large screen display in a conference setting.

Microsoft Warns AI Adoption Exposes Organizations to New Malware Threats

Microsoft's senior security researcher warns that the AI tools making our jobs easier can also be exploited by threat actors, highlighting a new and urgent risk for organizations to manage. As AI adoption grows, companies must recognize it as both a valuable asset and a potential attack surface that requires careful protection.

Analyst 207
Laptop screen displays hacker forum on cluttered desk in home office setting.

Hackers Exploit Gaps in Vulnerability Programs with Simplified Playbook

Meet Hercules, the mastermind behind a notorious underground tutorial that spills the beans on how to turn vulnerability exploitation into cold, hard cash. With a refreshingly blunt approach, Hercules breaks down the process into simple, actionable steps that even novice attackers can follow.

Analyst 207
Generic office building with neutral-colored wall and glass façade.

Chinese Cybercrime Group TA4922 Expands Global Reach

Stay vigilant, organizations worldwide: a rapidly evolving Chinese cybercrime group, TA4922, is expanding its global footprint, rewriting the rules for corporate network exploitation and monetization. From East Asia to the UK, Germany, and beyond, this financially driven threat actor is localizing its attacks to hit closer to home.

Analyst 207
Blurred computer screen on a well-lit office desk with scattered papers and supplies.

Hackers Infiltrate Stock Exchange Executive's Outlook Mailbox for Months

Hackers stealthily infiltrated a senior stock exchange executive's Outlook mailbox, maintaining months-long control of their computer by masquerading as legitimate software. The alarming breach, detected as early as October 10, 2025, allowed the intruder to operate with SYSTEM-level privileges, the highest level of Windows access.

Analyst 207