The Chinese-speaking cybercriminal group TA4922, previously focused on targets in East Asia, has expanded its attack geography to European organizations — in the United Kingdom, Germany, Italy — as well as in South Africa. According to Proofpoint, the group shows a high operational tempo and uses both well-known malware families (ValleyRAT, Atlas RAT) and previously undocumented tools — the RomulusLoader and SilentRunLoader loaders. Organizations in the affected regions should strengthen monitoring of phishing attacks themed around HR and tax notifications, and also restrict DLL side-loading capabilities on endpoints.
Group profile and motivation
Proofpoint tracks the activity under the identifier TA4922, describing it as a Chinese-speaking actor with predominantly financial motivation. According to the researchers, the group aims to obtain remote access to victims’ infrastructure to steal data, commit fraud, resell access, or maintain long-term presence in compromised environments. Proofpoint notes that TA4922 runs more unique campaigns than any other threat actor they track — which indicates an exceptionally high level of operational activity.
It is important to keep in mind that attribution and motivation assessments are based on the analysis of a single vendor and have not been confirmed by independent sources. Nevertheless, Proofpoint emphasizes that the group’s malware has functionality for monitoring victims, which broadens the potential threat spectrum beyond purely financial objectives.
Malware arsenal
TA4922’s toolset combines both known and new malware families:
- Atlas RAT (also known as AtlasCross RAT) is a remote access trojan delivered via DLL side-loading. It was used in most of the documented campaigns against Japanese and European organizations.
- ValleyRAT (Winos 4.0) is a well-known malware family previously associated with Chinese-speaking groups.
- RomulusLoader is a previously undocumented loader written in C. In one of the campaigns, it was used to deploy the legitimate AnyDesk remote access tool and the SyncFuture utility via DLL side-loading.
- SilentRunLoader is a Python-based loader and stealer which, according to Proofpoint, was created using so-called “vibe coding” methods (AI-assisted code generation). Its main function is to drop an executable to extract saved credentials, cookies, and browsing history from Google Chrome.
Timeline of 2026 campaigns
According to Proofpoint, at least seven distinct phishing campaigns were observed between March and April 2026:
- March 6 — attacks on Japanese organizations using HR-themed lures, delivering Atlas RAT via DLL side-loading.
- March 23 — corporate and HR-themed lures against Japanese targets, delivering RomulusLoader via DLL side-loading.
- March 30 — lures impersonating tax authorities targeting organizations in the United Kingdom, delivering SilentRunLoader followed by exfiltration of Chrome data.
- April 2 — HR-themed lures against organizations in the United Kingdom and Germany, delivering Atlas RAT.
- April 7 — invoice-themed lures against Japanese organizations, delivering Atlas RAT.
- April 10 — benefit and compliance-themed lures against organizations in Southeast Asia and the United Kingdom, delivering SilentRunLoader with exfiltration of Chrome data.
- Mid-April — business and tax-themed lures against organizations in Japan and Germany, delivering RomulusLoader followed by deployment of AnyDesk and SyncFuture.
Tactical characteristics
In addition to traditional phishing, Proofpoint researchers observed a distinctive TA4922 tactic — moving communications with victims from email to third-party channels: LINE, WhatsApp, and Microsoft Teams. The goal of this switch is to bypass corporate email security controls (secure gateways, DLP systems, sandboxes) that do not monitor these channels. This allows attackers to deliver malware and steal data while circumventing the primary protection perimeter.
The dominant payload delivery method is DLL side-loading, in which a malicious dynamic library is loaded by a legitimate application. This technique effectively bypasses a range of antivirus solutions because the malicious code executes in the context of a trusted process.
Impact assessment
The expansion of TA4922’s attack geography primarily affects organizations in the United Kingdom, Germany, and Southeast Asia. The use of HR, tax, and business-themed lures points to a wide range of potential victims — from HR departments to finance teams. SilentRunLoader is particularly dangerous: compromising credentials stored in Chrome can lead to a cascading takeover of corporate accounts, especially where multi-factor authentication is not in place.
Deploying the legitimate AnyDesk tool via RomulusLoader establishes a persistent remote access channel that is difficult to distinguish from legitimate use without targeted monitoring.
Practical recommendations
- Restrict DLL side-loading: implement application control policies (AppLocker, WDAC) that prohibit loading DLLs from non-standard directories. Monitor events where legitimate applications load libraries from temporary folders and user directories.
- Control third-party messengers: restrict or monitor the use of LINE, WhatsApp Desktop, and unauthorized instances of Microsoft Teams on corporate devices. Train employees to recognize attempts to move business correspondence into uncontrolled channels.
- Protect browser data: consider disabling Chrome’s built-in password manager in favor of a corporate solution. Monitor access to Chrome profile files (Login Data, Cookies, History) by atypical processes.
- Control AnyDesk: if AnyDesk is not an approved corporate tool, block its installation and execution. Where it is legitimately used, monitor for unauthorized instances.
- Strengthen phishing filtering: update mail gateway rules to detect lures themed around HR notifications, tax documents, and invoices, especially those containing executable attachments or archives.
Seven campaigns in six weeks using three different malware families and constantly changing lures represent a pace that demands a proactive defensive approach. Priority actions include restricting DLL side-loading on endpoints, blocking unauthorized remote access tools, and monitoring access to Chrome credential storage. Organizations in the United Kingdom and Germany should already treat TA4922 as a current threat, without waiting for confirmation from additional sources.