A China-linked cybercrime group known as TA4922 has significantly broadened its operations, extending its targeting beyond East Asia to organizations across Europe and South Africa. Security researchers have observed attacks against businesses in the United Kingdom, Germany, Italy, and South Africa, highlighting the group’s growing global reach.
According to cybersecurity firm Proofpoint, TA4922 has maintained a rapid pace of operations while continuously enhancing its malware toolkit. Alongside established malware families such as ValleyRAT (also known as Winos 4.0) and Atlas RAT (AtlasCross RAT), the threat actor has introduced two previously undocumented tools named RomulusLoader and SilentRunLoader.
TA4922’s Evolving Threat Landscape
Proofpoint tracks the activity under the designation TA4922 and believes the group shares similarities with the China-linked threat cluster Silver Fox. Unlike traditional state-sponsored espionage campaigns, TA4922 appears to focus primarily on financially motivated cybercrime.
Researchers assess that the group’s main objective is to gain and maintain remote access to victim networks for activities such as:
- Data theft
- Financial fraud
- Sale of compromised network access
- Long-term persistence within corporate environments
The threat actor has become notable for running a high volume of unique campaigns, making it one of the most active groups monitored by security researchers.
Shift Toward Advanced Phishing Tactics
In recent months, TA4922 has increasingly relied on phishing campaigns designed around human resources, business operations, taxation, compliance, and invoicing themes. These lures are crafted to trick employees into opening malicious files or providing credentials.
A concerning development is the group’s effort to move conversations away from corporate email systems and onto external communication platforms such as:
- LINE
- Microsoft Teams
By shifting communications to these channels, attackers can potentially evade enterprise security controls while increasing opportunities for malware delivery and data theft.
Recent TA4922 Campaigns
March 6, 2026
The group targeted Japanese organizations using human resources-themed phishing emails to distribute Atlas RAT through DLL side-loading techniques.
March 23, 2026
Corporate and HR-themed phishing attacks were launched against Japanese businesses, delivering RomulusLoader, a C-based malware loader, via DLL side-loading.
March 30, 2026
Organizations in the United Kingdom were targeted using tax authority-themed lures. Victims received SilentRunLoader, a Python-based loader and information stealer capable of extracting sensitive Google Chrome data, including:
- Saved credentials
- Browser cookies
- Browsing history and information
April 2, 2026
HR-related phishing messages targeted organizations in the UK and Germany, leading to the deployment of Atlas RAT.
April 7, 2026
Invoice-themed phishing emails were used against Japanese organizations to distribute Atlas RAT.
April 10, 2026
Organizations across Southeast Asia and the United Kingdom were targeted with benefits and compliance-themed phishing campaigns that delivered SilentRunLoader and exfiltrated Chrome browser data.
Mid-April 2026
Business and tax-related phishing campaigns targeted organizations in Japan and Germany. These attacks deployed RomulusLoader, which subsequently installed remote access tools such as AnyDesk and SyncFuture through DLL side-loading techniques.
Why Organizations Should Be Concerned
Although TA4922 is primarily viewed as a financially motivated cybercriminal group, the capabilities of its malware extend beyond financial theft. Researchers warn that the tools used by the group could also support surveillance operations, creating the possibility that access or stolen information could be sold to espionage-focused actors.
The expansion of TA4922’s activities into multiple regions demonstrates how rapidly modern cybercriminal groups can adapt and scale their operations. Organizations should remain vigilant against phishing attempts, strengthen endpoint security, and educate employees about emerging social engineering tactics.
Conclusion
TA4922’s expansion into Europe and South Africa marks a significant evolution in the group’s operations. With an expanding malware arsenal, sophisticated phishing techniques, and a willingness to leverage alternative communication platforms, the threat actor represents a growing risk to organizations worldwide. Businesses should proactively enhance their cybersecurity defenses to reduce exposure to these increasingly sophisticated attacks.
