Chinese-speaking TA4922 expands into Europe, deploying new Atlas RAT malware in phishing campaigns targeting organizations across sectors.

Continue reading
A Chinese-speaking threat actor tracked as TA4922 has expanded its operations beyond East Asia and is now targeting organizations across Germany, Italy, the United Kingdom, and South Africa, deploying a previously undocumented Atlas RAT alongside multiple malware families.
The activity marks a significant geographic expansion for the group, which researchers assess as primarily financially motivated but possessing tooling capable of surveillance and long-term access operations.
Proofpoint reported that TA4922's operational tempo has increased sharply since March 2026, with the actor conducting more distinct campaigns than any other cybercrime threat group currently tracked by the company.
Researchers observed the use of localized phishing lures impersonating payroll notices, tax audits, VAT filings, invoices, compliance notifications, and human resources communications targeting organizations across multiple sectors.
The campaign primarily relies on social engineering and phishing activity tailored to regional audiences.
Researchers observed TA4922 using localized language content and attempting to engage targets through multiple communication platforms, including WhatsApp, LINE, and Microsoft Teams, in addition to traditional email-based phishing channels. The group's activity has historically focused on East Asian targets but has now expanded significantly into Europe and Africa.
The actor has previously been linked to activity clusters tracked as Silver Fox and Void Arachne, although Proofpoint maintains separate tracking due to the group's cybercrime-focused objectives rather than traditional espionage operations.
The most notable addition to the group's malware arsenal is Atlas RAT, a newly identified remote access trojan designed to establish persistent access and enable extensive post-compromise activity.
According to Proofpoint, Atlas RAT supports:
Researchers also identified multiple anti-analysis mechanisms within the malware. Atlas RAT performs checks for sandbox environments, Microsoft Defender Application Guard artifacts, specific registry keys, operating system identifiers, and analysis-related services before executing its payloads.
Proofpoint documented a rapidly expanding malware ecosystem supporting TA4922 operations.
Alongside Atlas RAT, researchers identified a newly discovered loader named RomulusLoader, which delivers secondary payloads using techniques including process hollowing, shellcode injection, and direct payload execution. RomulusLoader has been observed deploying legitimate remote administration software such as AnyDesk and SyncFuture, a remote monitoring platform commonly used in China.
The company also identified SilentRunLoader, a Python-based loader and information stealer targeting Google Chrome credentials, cookies, and browsing data. The malware was reportedly used in campaigns targeting organizations in the United Kingdom and Southeast Asia through government-themed lures.
Researchers further observed deployment of Winos4.0, also tracked as ValleyRAT, providing operators with a broader set of remote access and control capabilities after compromise.
Observed campaigns typically begin with phishing messages crafted around financial, regulatory, tax, payroll, or human resources themes.
Once a victim interacts with malicious content, TA4922 deploys malware loaders that establish execution, retrieve additional payloads, and ultimately deliver Atlas RAT or other remote-access tooling. Subsequent stages enable credential theft, surveillance, persistence, and data collection activities.
Proofpoint also noted that the group increasingly combines malicious payloads with legitimate software and trusted remote management tools, complicating detection and incident response efforts.
Researchers reported multiple indicators suggesting that large language models may be assisting portions of the group's malware development workflow.
Evidence cited includes placeholder variables, development comments, and coding patterns commonly associated with AI-generated code. Proofpoint stopped short of attributing malware creation directly to AI but noted repeated characteristics across newly identified tooling.
Proofpoint assesses TA4922 as a Chinese-speaking cybercrime actor focused on fraud, data theft, access monetization, and persistent network compromise.
However, researchers warned that several malware capabilities observed in the campaign could support intelligence collection and surveillance objectives. As a result, compromised access or tooling could potentially be leveraged by or transferred to espionage-focused operators.
The emergence of Atlas RAT and the rapid diversification of TA4922's malware ecosystem reflect a growing trend among Chinese-speaking cybercrime groups toward modular malware development, multi-stage infection chains, and geographically expanded targeting.
Proofpoint's findings indicate that TA4922 is no longer operating as a regionally focused threat actor. Instead, the group is conducting sustained campaigns across Europe and Africa while deploying an increasingly diverse toolkit that blends credential theft, remote access, surveillance functionality, and legitimate administration software within the same intrusion framework.

A single ClickFix infrastructure is pushing StealC, Amatera, Remus, NetSupport, CastleLoader and a new loader called ResiLoader through fake Google/Cloudflare checks.