“TA4922 currently conducts more unique campaigns than any other tracked cybercrime threat actor in Proofpoint threat data, demonstrating high operational tempo, a variety of lures, and multiple objectives,” Proofpoint says in a report today.
TA4922’s operational surge across Europe and beyond
Proofpoint traces TA4922 to a Chinese-speaking cybercrime group that has expanded from prior focus on East Asia into new targets in Germany, Italy, the United Kingdom, and South Africa. According to the company, the group’s activity increased sharply beginning in March and—since April—has shown “unprecedented operational diversity and high tempo.” Proofpoint characterizes the cluster as financially motivated, focused on breaching networks for fraud, data theft, and the sale of access, while noting overlaps with activity previously labeled “Silver Fox” and “Void Arachne.”
Atlas RAT: a newly identified remote access trojan and its capabilities
Proofpoint’s report highlights Atlas RAT as a recently identified remote access trojan used by TA4922. The malware is described as offering a broad set of functions, including system reconnaissance; targeted file theft; plugin and payload downloads; keylogging; screenshot capture; audio and webcam recording; and commands to shut down or reboot systems. Atlas also includes anti-sandbox and anti-analysis checks, for example probing for usernames and registry keys associated with Microsoft Defender Application Guard, looking for a “CExecSvc” service, and inspecting the operating system UUID.
Loaders and toolset: RomulusLoader, SilentRunLoader, and Winos4.0
Proofpoint reports that TA4922 has broadened its malware arsenal with multiple loaders and RAT families. RomulusLoader is a newly observed loader that downloads and executes additional payloads using techniques such as process hollowing, shellcode injection, and direct execution; Proofpoint observed it used to launch legitimate remote management tools including AnyDesk and SyncFuture (the latter described as a remote monitoring tool popular in China and used in attacks targeting German entities).
- SilentRunLoader: a Python-based loader and information stealer that exfiltrates Google Chrome credentials, cookies, and browsing data; deployed against organizations in the United Kingdom and Southeast Asia using lures impersonating government services.
- Winos4.0 (tracked by Proofpoint as ValleyRAT): a previously documented malware family that provides operators with a full set of remote access features.
Phishing, messaging channels, and localized lures
To gain initial access, TA4922 uses localized phishing lures crafted to resemble payroll notices, tax audits, VAT filings, government compliance notices, invoices, and human resources communications. The actor also attempts direct contact over messaging platforms: Proofpoint observed outreach via WhatsApp, the LINE messenger, and Microsoft Teams. The diversity of lures and channels is one reason Proofpoint assesses the actor is running many distinct campaigns concurrently.
What this means for security teams, affected enterprises, and policymakers
- Security teams: expect high operational tempo and multiple, localized phishing flavors; investigators should hunt for Indicators of Compromise published with Proofpoint’s report and monitor for unusual launches of AnyDesk, SyncFuture, or behavior consistent with process hollowing and shellcode injection.
- Affected enterprises and procurement leaders: note that attackers have used legitimate remote management tools as part of the delivery chain; controls and visibility around remote-access software and RMM tools should be reviewed where these tools are in use.
- Policymakers and regulators: Proofpoint warns that while TA4922 is assessed to be financially motivated, the malware’s surveillance capabilities “could be used by or sold to espionage groups,” a development that blurs the line between criminal access and potential intelligence exploitation.
Proofpoint also notes a development in the group’s development practices: the presence of placeholder values, code comments, and recurring patterns that the researchers say are commonly associated with AI-generated code, leading them to conclude TA4922 may be using large language models to accelerate malware development. The company published Indicators of Compromise and command-and-control infrastructure details alongside its technical findings.
TA4922’s campaign mix—new loaders and RATs, aggressive use of messaging platforms, localized social engineering, and possible use of generative tools—raises a clear challenge: defenders must contend with high-volume, adaptive criminal operations whose tools include capabilities suitable for both theft and surveillance. Proofpoint’s report provides the specific IOCs and infrastructure details that defenders can use to begin answering that challenge.
