Full Report
A new China-linked cybercrime group known as TA4922 has expanded its targeting focus to target European organizations in the U.K., Germany, Italy, and South Africa. These efforts have been complemented by a "rapid operational tempo" and a continually evolving malware arsenal comprising known families like ValleyRAT (aka Winos 4.0) and Atlas RAT (aka AtlasCross RAT), as well as previously
Analysis Summary
# Threat Actor: TA4922
## Attribution & Identity
* **Identification:** TA4922 (Proofpoint moniker)
* **Origin:** Chinese-speaking threat actor.
* **Aliases/Associations:** Assessed to share some level of overlap with the group known as **Silver Fox**.
* **Actor Type:** Primarily characterized as a cybercrime group, though its surveillance capabilities suggest potential links to or utility for espionage operations.
## Activity Summary
TA4922 has recently demonstrated a "rapid operational tempo," shifting from a strictly East Asian focus to global operations. Between March and April 2026, the group launched multiple phishing waves utilizing human resources (HR), tax, and business-related lures to deploy a variety of RATs (Remote Access Trojans) and info-stealers. Notable developments include the introduction of custom loaders and the practice of moving conversations to out-of-band communication platforms to bypass traditional security.
## Tactics, Techniques & Procedures
* **Phishing:** Delivery of malware via email using HR, tax authority, invoice, and corporate compliance themes.
* **Social Engineering:** Moving internal conversations from email to alternative channels such as **LINE, WhatsApp, and Microsoft Teams** to evade enterprise security controls.
* **DLL Side-Loading:** Predominant technique used across various campaigns to execute malicious payloads while appearing legitimate.
* **Credential Harvesting:** Specific focus on stealing data from Google Chrome, including stored credentials, cookies, and browsing history.
* **Evasion:** Use of "vibe-coded" Python-based loaders and C-based loaders to deliver secondary payloads.
## Targeting
* **Sectors:** Human Resources, Corporate Finance, Data/Access Resale Markets.
* **Geography:** Traditionally East Asia (Japan, Southeast Asia); recently expanded to the United Kingdom, Germany, Italy, and South Africa.
* **Victims:** Organizations (unnamed) located in the aforementioned regions.
## Tools & Infrastructure
* **Malware Families:**
* **ValleyRAT** (aka Winos 4.0)
* **Atlas RAT** (aka AtlasCross RAT)
* **RomulusLoader** (Custom C-based loader)
* **SilentRunLoader** (Custom Python-based loader and stealer)
* **Legitimate Software Abuse:** Use of **AnyDesk** and **SyncFuture** for persistent remote access.
* **Infrastructure:** Phishing domains and out-of-band messaging platforms (LINE, WhatsApp, Teams).
## Implications
TA4922 represents a maturing threat that bridges the gap between traditional cybercrime and state-aligned espionage tradecraft. Their ability to rapidly evolve their malware arsenal and scale targeting geographically indicates a highly resourced and motivated actor. While currently assessed as financially motivated (seeking data theft and access resale), their deep access capabilities make them a viable provider of "initial access" for more advanced Chinese espionage groups.
## Mitigations
* **Communication Policy:** Implement and enforce strict policies against moving business communications to unauthorized out-of-band channels like WhatsApp or personal LINE accounts.
* **Endpoint Security:** Deploy EDR (Endpoint Detection and Response) solutions capable of detecting and blocking DLL side-loading behaviors.
* **Email Filtering:** Enhance email gateway protections to flag HR and tax-themed lures arriving from external or suspicious sources.
* **Browser Security:** Implement "Application Guard" for browsers or utilize enterprise Chrome management to restrict the storage of sensitive credentials in the browser.
* **Multi-Factor Authentication (MFA):** Enforce robust MFA to mitigate the impact of the group’s focus on credential and cookie theft.