TA4922: The Suspected Chinese Crime Group is Going Global

MITRE Techniques

• [T1566.001] Phishing: Spearphishing Attachment – Used malicious archives and document-like lures to deliver payloads (‘the email contained a GoFile URL linking to a ZIP file’, ‘URLs in the email led to ZIP files hosted on GoFile’).
• [T1566.002] Phishing: Spearphishing Link – Embedded URLs directed victims to hosted payloads and landing pages (‘URLs embedded in the email body redirected users to file sharing services’).
• [T1204.001] User Execution: Malicious Link – Victims were induced to click links or open downloaded archives to launch the malware (‘designed to resemble internal HR notifications’, ‘urged recipients to review business documents’).
• [T1574.002] Hijack Execution Flow: DLL Side-Loading – Multiple payloads were installed by abusing legitimate executables and DLLs (‘the Atlas RAT payload is installed via DLL sideloading’, ‘RomulusLoader was delivered inside a ZIP archive containing a legitimate executable and DLL’).
• [T1105] Ingress Tool Transfer – Additional payloads were downloaded from actor infrastructure and file-sharing services (‘attempted to retrieve and execute additional payloads’, ‘download a next-stage payload’).
• [T1055] Process Injection – RomulusLoader injected workers into other processes and Atlas RAT supported DLL injection into WeChat.exe (‘injected into other processes’, ‘injects DLL into WeChat.exe’).
• [T1053.005] Scheduled Task/Job: Scheduled Task – Persistence was attempted through copying malware into a common program directory and reusing it via worker processes (‘copies the original executable … to the directory “C:Program FilesCommon Files” as a sort of persistence directory’).
• [T1027] Obfuscated Files or Information – Payloads and configs were encrypted, compressed, or XOR-decoded (‘encrypted blob of data’, ‘decompresses it (ZLib)’, ‘hex-encoded’).
• [T1140] Deobfuscate/Decode Files or Information – Malware decrypted embedded payloads and configuration data (‘decrypts the embedded PE file’, ‘The config is hex-encoded, and once decoded’).
• [T1057] Process Discovery – Atlas RAT can check whether named processes are running (‘Process check (checks if named process is running)’).
• [T1082] System Information Discovery – Atlas RAT collects and sends host information to C2 (‘gather system information and forward it to the C2’).
• [T1113] Screen Capture – Atlas RAT can capture screenshots (‘Capture clipboard and screenshot data’).
• [T1056.001] Input Capture: Keylogging – Atlas RAT includes keylogger functionality (‘Start a keylogger’).
• [T1123] Audio Capture – Atlas RAT can record audio and access audio devices (‘Record audio and video (webcam)’, ‘checks for a camera as well as the audio … devices’).
• [T1125] Video Capture – Atlas RAT supports webcam recording (‘Record audio and video (webcam)’).
• [T1021.001] Remote Services: Remote Desktop Protocol – Legitimate remote management software was deployed to enable remote access, though via AnyDesk rather than RDP (‘deploy legitimate RMM software, AnyDesk’).
• [T1090] Proxy – The actor used intermediaries such as file hosting, URL shorteners, and cloud services to reach victims and deliver payloads (‘srt.tw URLs … redirected to ZIP or RAR archive files hosted on MediaFire’).
• [T1071.001] Application Layer Protocol: Web Protocols – C2 and exfiltration used HTTP/POST and web-hosted endpoints (‘exfiltrated via HTTP POST requests’).
• [T1036] Masquerading – Malicious files and pages impersonated legitimate corporate, tax, and HR content (‘impersonating internal human resources communications’, ‘landing page impersonating a tax portal’).
• [T1497.001] Virtualization/Sandbox Evasion: System Checks – Malware checked for sandbox, VM, and container indicators (‘Checks if the active username is “WDAGUtilityAccount”’, ‘Checks if the “CExecSvc” service is running’).
• [T1059.006] Command and Scripting Interpreter: Python – SilentRunLoader is a Python-based loader/stealer (‘the Python-based loader and stealer tracked as SilentRunLoader’).