A Chinese-speaking cybercrime group has expanded its operations into Europe, using newly discovered malware and the Atlas backdoor in a wave of financially motivated attacks.
The threat actor, tracked as TA4922, is known for targeting organizations to break into networks, steal data, commit fraud, and sell access to compromised systems. While the group previously focused on East Asia, recent campaigns have targeted organizations in Germany, Italy, the United Kingdom, and South Africa.
Cybersecurity researchers at Proofpoint said TA4922 overlaps with activity previously reported under the names Silver Fox and Void Arachne. However, Proofpoint tracks the cluster separately because its operations appear more closely tied to cybercrime than traditional espionage.
TA4922’s activity has increased sharply since March, with researchers observing a major rise in campaign volume and variety from April onward. Proofpoint said the group is currently running more unique campaigns than any other cybercrime actor it tracks, using different lures, tools, and objectives.
The attackers are using localized phishing emails designed to look like payroll notices, tax audits, VAT filings, government compliance messages, invoices, and human resources communications. The group has also tried to reach victims through WhatsApp, LINE, and Microsoft Teams.
Proofpoint said TA4922 has also expanded its malware toolkit. Researchers believe the group may be using large language models to speed up malware development, based on placeholder values, code comments, and coding patterns that appear similar to AI-generated code.
One of the key tools used in the latest campaigns is Atlas RAT, a recently identified remote access trojan. The malware can perform system reconnaissance, steal selected files, download plugins and payloads, log keystrokes, capture screenshots, record audio and webcam activity, and issue system shutdown or reboot commands.
Atlas RAT also includes anti-analysis and anti-sandbox features. It checks for signs of Microsoft Defender Application Guard, specific usernames, registry keys, the CExecSvc service, and operating system UUIDs to help avoid detection in controlled research environments.
Researchers also found a new malware loader called RomulusLoader. This tool can download and run additional payloads through process hollowing, shellcode injection, and direct execution. In some attacks, RomulusLoader was used to launch legitimate remote management software such as AnyDesk and SyncFuture, a remote monitoring tool popular in China. Proofpoint noted that SyncFuture was unusually used in attacks targeting German organizations.
Another tool linked to the campaign is SilentRunLoader, a Python-based loader and information stealer. It is designed to steal Google Chrome credentials, cookies, and browsing data. Proofpoint said it was used against organizations in the United Kingdom and Southeast Asia through phishing lures impersonating government services.
The researchers also observed TA4922 deploying Winos4.0, a known malware family that Proofpoint tracks as ValleyRAT. This malware gives attackers a wide range of remote access capabilities.
Although Proofpoint assesses TA4922 as financially motivated, the malware used by the group also has surveillance capabilities. Researchers warned that these tools could be used directly by espionage groups or sold to them.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Proofpoint’s report includes indicators of compromise for the malware samples and command-and-control infrastructure linked to TA4922’s campaigns.
