A Chinese-speaking cybercrime group tracked as TA4922 has expanded operations into Europe, using new malware such as Atlas RAT, RomulusLoader, and SilentRunLoader alongside localized phishing lures. Proofpoint says the actor is highly active, financially motivated, and may be using AI-assisted development to accelerate its malware arsenal. #TA4922 #AtlasRAT #RomulusLoader #SilentRunLoader #ValleyRAT
Keypoints
- TA4922 has shifted targeting from East Asia to Europe and South Africa.
- The group uses localized phishing lures posing as payroll, tax, VAT, and government notices.
- Proofpoint linked the actor to Atlas RAT, a new backdoor with surveillance and theft features.
- RomulusLoader and SilentRunLoader were used to deploy payloads and steal browser data.
- The activity cluster is tracked separately from Silver Fox and Void Arachne because it aligns with cybercrime.