China-Linked TA4922 Expands Phishing Attacks to UK, Germany, Italy, and South Africa

A new China-linked cybercrime group known as TA4922 has expanded its targeting focus to target European organizations in the U.K., Germany, Italy, and South Africa.

These efforts have been complemented by a “rapid operational tempo” and a continually evolving malware arsenal comprising known families like ValleyRAT (aka Winos 4.0) and Atlas RAT (aka AtlasCross RAT), as well as previously undocumented tools called RomulusLoader and SilentRunLoader, according to Proofpoint.

The enterprise security company is keeping tabs on the activity under the moniker TA4922, describing it as a Chinese-speaking threat actor largely targeting East Asia. TA4922 is assessed to share some level of overlap with Silver Fox, with the threat actor’s tradecraft more focused on cybercriminal objectives than espionage.

“The actor is likely financially motivated and focused on obtaining remote access to victim environments for financial gain, such as data theft, fraud, access resale, or persistent access,” the company said, characterizing it as an adversary conducting “more unique campaigns” than any other threat actor it tracks.

In recent months, however, attacks mounted by the hacking group have relied on phishing campaigns using human resources- and business-themed lures for credential phishing, fraud, and malware delivery, including Atlas RAT, RomulusLoader, and SilentRunLoader.

Another notable shift involves attempts to move conversations from emails to out-of-band communication channels like LINE, WhatsApp, and Microsoft Teams, allowing the attackers to bypass enterprise security controls and steal data or deliver malware. Details of some of the recently observed TA4922 phishing campaigns are below –

• March 6, 2026: Using human resources-related lures in attacks targeting Japanese organizations to deliver Atlas RAT via DLL side-loading
• March 23, 2026: Using corporate- and human resources-themed lures in attacks targeting Japanese organizations to deliver a C-based loader called RomulusLoader via DLL side-loading
• March 30, 2026: Using tax authority-related lures in attacks targeting organizations in the U.K. to deliver a vibe-coded Python-based loader and stealer called SilentRunLoader, which then drops an executable to harvest sensitive data from Google Chrome including stored credentials, cookies, and browsing information
• April 2, 2026: Using human resources communication lures in attacks targeting organizations in the U.K. and Germany to deliver Atlas RAT via DLL side-loading
• April 7, 2026: Using invoice-related lures in attacks targeting Japanese organizations to deliver Atlas RAT via DLL side-loading
• April 10, 2026: Using benefits- and compliance-themed lures in attacks targeting organizations across Southeast Asia and the U.K. to deliver SilentRunLoader via DLL side-loading and exfiltrate Chrome data
• Mid-April 2026: Using business- and tax-related themes in attacks targeting organizations in Japan and Germany to deliver RomulusLoader, which is then used to deploy AnyDesk and SyncFuture via DLL side-loading

“While the actor is assessed to be financially motivated, the capabilities of the malware include the potential for surveillance, which could be used by or sold to espionage groups,” Proofpoint said. “The global nature of this actor shows how organizations should be aware of emerging and complex threats, regardless of geographic targeting. These types of actors can quickly expand and scale their tactics to include more targets at any time.”