Chinese hackers – A Chinese-speaking cybercrime group tracked as TA4922 has shifted to targets across Europe, expanding its malware arsenal with the newly identified Atlas RAT backdoor and related loaders. Proofpoint says activity has surged since March, with lures designed to
The first signs can look ordinary: a payroll notice, a tax audit, a VAT filing, a government compliance reminder. For victims in parts of Europe, those messages were only the front door. Behind them. a Chinese-speaking cybercrime group has been pushing into new territory with previously undocumented malware. including Atlas RAT and a backdoor dubbed Atlas.
The threat actor is tracked as TA4922. Proofpoint links the group to financially motivated attacks designed to breach target networks for fraud. data theft. and the sale of access. TA4922 has targeted organizations in East Asia before. but its recent campaigns have focused on entities in Germany. Italy. the United Kingdom. and South Africa.
The shift isn’t just about geography. Proofpoint says TA4922 shares overlaps with activity previously reported as ‘Silver Fox’ and ‘Void Arachne. ’ but this cluster is tracked separately because it is more consistent with cybercrime than espionage. Since March, Proofpoint says activity has increased sharply. Since April. it has shown unprecedented operational diversity and a high tempo. with TA4922 running more unique campaigns than any other tracked cybercrime threat actor in Proofpoint threat data.
That tempo matters because it changes how defenders experience the threat. Proofpoint points to “high operational tempo. ” a variety of lures. and multiple objectives—signals that the group isn’t relying on a single playbook. The messages are localized to look like real workplace communications: payroll notices. tax audits. VAT filings. government compliance notices. invoices. and human resources communications.
In at least some campaigns, TA4922 also reaches victims directly through messaging apps, attempting contact via WhatsApp, LINE, and Microsoft Teams.
Proofpoint’s report adds another twist: even if the group is financially motivated. its tools include capabilities that could be repurposed. While TA4922 is assessed to be financially motivated. Proofpoint says the malware capabilities include the potential for surveillance. which could be used by or sold to espionage groups.
At the center of the update is Atlas RAT, a recently identified remote access trojan. Proofpoint describes Atlas RAT as capable of system reconnaissance. targeted file theft. plugin and payload downloads. keylogging. screenshot capturing. and audio and webcam recording. It can also issue system shutdown and reboot commands.
Atlas RAT is built to survive early probing. Proofpoint says it includes anti-sandbox and anti-analysis checks that look for usernames and registry keys associated with Microsoft Defender Application Guard, the “CExecSvc” service, and OS UUID.
Alongside Atlas RAT, Proofpoint says TA4922 has significantly expanded its malware arsenal. Researchers discovered a new loader called RomulusLoader. designed to download and execute additional payloads using process hollowing. shellcode injection. and direct execution. RomulusLoader has been used to launch legitimate remote management tools, including AnyDesk and SyncFuture. Proofpoint notes that SyncFuture—a remote monitoring software tool popular in China—was used in attacks targeting German entities.
Proofpoint also identified a Python-based loader and information stealer called SilentRunLoader. It targets Google Chrome credentials, cookies, and browsing data. Proofpoint says SilentRunLoader was deployed against organizations in the United Kingdom and Southeast Asia, using lures that impersonated government services.
For persistence and reach, TA4922 has also deployed Winos4.0, a previously documented malware family that Proofpoint tracks as ValleyRAT. Proofpoint describes it as providing operators with a full set of remote access features.
Taken together. the picture is blunt: TA4922 is moving quickly. using multiple lures. and leaning on tools that don’t just steal—they watch. record. and adapt. Proofpoint’s report also includes indicators of compromise for the malware and command-and-control infrastructure used in TA4922’s attacks. underscoring that this expansion is not a rumor of activity—it’s a measured campaign with infrastructure behind it.
TA4922 Atlas RAT RomulusLoader SilentRunLoader Winos4.0 ValleyRAT Proofpoint European cyberattacks remote access trojan phishing lures WhatsApp LINE Microsoft Teams keylogging screenshot capturing webcam recording