[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$frxclBRAdmvLE_wSVDFuNShP2HA1KGE7UlLFDOGE6m58":3},{"article":4,"iocs":42},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":26,"category":27,"article_tags":31},"b75064de-6254-468e-b6ea-d593a7c146ab","China-Linked TA4922 Expands Phishing Attacks to UK, Germany, Italy, and South Africa","china-linked-ta4922-expands-phishing-attacks-to-uk-germany-italy-and-south-afric-c74261","A new China-linked cybercrime group known as TA4922 has expanded its targeting focus to target European organizations in the U.K., Germany, Italy, and South Africa. These efforts have been complemented by a \"rapid operational tempo\" and a continually evolving malware arsenal comprising known families like ValleyRAT (aka Winos 4.0) and Atlas RAT (aka AtlasCross RAT), as well as previously","TA4922, a financially motivated Chinese threat actor, has significantly expanded its targeting scope from East Asia to include European organizations across the UK, Germany, Italy, and South Africa. The group uses sophisticated phishing campaigns with HR and business-themed lures to deliver multiple malware families including known tools (ValleyRAT, Atlas RAT) and previously undocumented loaders (RomulusLoader, SilentRunLoader), while shifting to out-of-band communication channels like LINE and WhatsApp to evade security controls. Proofpoint notes the actor demonstrates a \"rapid operational tempo\" and continuously evolving arsenal, though malware capabilities suggest potential for espionage repurposing despite primary financial motivation.","China-linked TA4922 expands phishing campaigns to UK, Germany, Italy using ValleyRAT, Atlas RAT, and new loaders.","China-Linked TA4922 Expands Phishing Attacks to UK, Germany, Italy, and South Africa Ravie LakshmananJun 04, 2026Malware \u002F Cybercrime A new China-linked cybercrime group known as TA4922 has expanded its targeting focus to target European organizations in the U.K., Germany, Italy, and South Africa. These efforts have been complemented by a \"rapid operational tempo\" and a continually evolving malware arsenal comprising known families like ValleyRAT (aka Winos 4.0) and Atlas RAT (aka AtlasCross RAT), as well as previously undocumented tools called RomulusLoader and SilentRunLoader, according to Proofpoint. The enterprise security company is keeping tabs on the activity under the moniker TA4922, describing it as a Chinese-speaking threat actor largely targeting East Asia. TA4922 is assessed to share some level of overlap with Silver Fox, with the threat actor's tradecraft more focused on cybercriminal objectives than espionage. \"The actor is likely financially motivated and focused on obtaining remote access to victim environments for financial gain, such as data theft, fraud, access resale, or persistent access,\" the company said, characterizing it as an adversary conducting \"more unique campaigns\" than any other threat actor it tracks. In recent months, however, attacks mounted by the hacking group have relied on phishing campaigns using human resources- and business-themed lures for credential phishing, fraud, and malware delivery, including Atlas RAT, RomulusLoader, and SilentRunLoader. Another notable shift involves attempts to move conversations from emails to out-of-band communication channels like LINE, WhatsApp, and Microsoft Teams, allowing the attackers to bypass enterprise security controls and steal data or deliver malware. Details of some of the recently observed TA4922 phishing campaigns are below - March 6, 2026: Using human resources-related lures in attacks targeting Japanese organizations to deliver Atlas RAT via DLL side-loading March 23, 2026: Using corporate- and human resources-themed lures in attacks targeting Japanese organizations to deliver a C-based loader called RomulusLoader via DLL side-loading March 30, 2026: Using tax authority-related lures in attacks targeting organizations in the U.K. to deliver a vibe-coded Python-based loader and stealer called SilentRunLoader, which then drops an executable to harvest sensitive data from Google Chrome including stored credentials, cookies, and browsing information April 2, 2026: Using human resources communication lures in attacks targeting organizations in the U.K. and Germany to deliver Atlas RAT via DLL side-loading April 7, 2026: Using invoice-related lures in attacks targeting Japanese organizations to deliver Atlas RAT via DLL side-loading April 10, 2026: Using benefits- and compliance-themed lures in attacks targeting organizations across Southeast Asia and the U.K. to deliver SilentRunLoader via DLL side-loading and exfiltrate Chrome data Mid-April 2026: Using business- and tax-related themes in attacks targeting organizations in Japan and Germany to deliver RomulusLoader, which is then used to deploy AnyDesk and SyncFuture via DLL side-loading \"While the actor is assessed to be financially motivated, the capabilities of the malware include the potential for surveillance, which could be used by or sold to espionage groups,\" Proofpoint said. \"The global nature of this actor shows how organizations should be aware of emerging and complex threats, regardless of geographic targeting. These types of actors can quickly expand and scale their tactics to include more targets at any time.\" Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  china, Credential Theft, Cybercrime, cybersecurity, data theft, Malware, Phishing, Proofpoint, Remote Access Trojan ⚡ Top Stories This Week Google June 2026 Android Update Patches 124 Flaws, One Actively Exploited Oracle WebLogic CVE-2024-21182 Added to KEV Catalog After Active Exploitation Dashlane Discloses Brute-Force Attack, Encrypted Vaults of Fewer Than 20 Users Downloaded Miasma Supply Chain Attack Compromises Red Hat npm Packages with Credential-Stealing Worm ⚡ Weekly Recap: New Linux Flaw, PAN-OS Exploit, AI-Powered Attacks, OAuth Phishing and More OpenAI Codex Authentication Tokens Stolen in codexui-android npm Supply Chain Attack PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257) Under Active Exploitation ChatGPhish Vulnerability Turns ChatGPT Web Summaries Into a Phishing Surface Attackers Use LLM Agent for Post-Exploitation After Marimo CVE-2026-39987 Exploit Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer Microsoft Slams Public Zero-Day Disclosures Amid GitHub Researcher Account Removal ThreatsDay Bulletin: Claude Security Plugin, Azure Priv-Esc, Kali365 MFA Bypass, FIFA Scams +15 More Malicious npm Package Stole Files From Claude AI User Directory via GitHub GlassWorm Malware Takedown Disrupts Developer Supply Chain Attack Infrastructure AI Chatbot Recommendations Redirect Users to Cryptojacking Malware Sites Microsoft Patches SharePoint RCE Flaw CVE-2026-45659 Across Server Versions ⭐ Featured Resources Your Employees Are Using AI in Ways You Can’t See – 2026 State of AI Report Learn How to Stop Attacks Before They Reach Your EDR – With PHASR Watch AI Turn Vulnerabilities Into Working Exploits in Minutes (See the Demo) [Guide] The Real Security Risks of Shadow AI (And Where You’re Exposed)","https:\u002F\u002Fthehackernews.com\u002F2026\u002F06\u002Fchina-linked-ta4922-expands-phishing.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEhq_JkP80d1IA8rz-SoYEBmuGqK_K7OpGrqiki4vB1ShMW5mFBVSMvl8H5MnYylZMl3AWeqdAmp19oZIL_7amYErNxBGiUAJqrOqGO0zjHH2jxCKCNdiGH_nqjHlksD9dlu4QGCq9KzMRfnWAi7YnPQQ86pnCypNupFDn_h-hSJdfhWT0Y4s01w6Cw-s6Od\u002Fs1600\u002Fphishing-hook.jpg","2026-06-04T12:22:25+00:00","2026-06-04T14:00:26.832593+00:00",9,[18,21,23],{"name":19,"type":20},"TA4922","threat_actor",{"name":22,"type":20},"Silver Fox",{"name":24,"type":25},"Proofpoint","vendor","89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5",{"id":26,"icon":28,"name":29,"slug":30},null,"Malware","malware",[32,37],{"category":33},{"id":34,"icon":28,"name":35,"slug":36},"6cbdd207-aaa1-4176-9534-e156b125e917","Nation-state","nation-state",{"category":38},{"id":39,"icon":28,"name":40,"slug":41},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[43,46,49,52,55,58],{"type":30,"value":44,"context":45},"ValleyRAT","Also known as Winos 4.0; used in TA4922 campaigns for remote access",{"type":30,"value":47,"context":48},"Atlas RAT","Also known as AtlasCross RAT; primary RAT family used in phishing campaigns targeting Japan, UK, Germany",{"type":30,"value":50,"context":51},"RomulusLoader","Previously undocumented C-based loader used for DLL side-loading; targets Japan, Germany",{"type":30,"value":53,"context":54},"SilentRunLoader","Python-based vibe-coded loader and stealer; targets UK, Southeast Asia; harvests Chrome credentials and browsing data",{"type":30,"value":56,"context":57},"AnyDesk","Remote access tool deployed by RomulusLoader in TA4922 campaigns",{"type":30,"value":59,"context":60},"SyncFuture","Tool deployed alongside AnyDesk via RomulusLoader in mid-April 2026 campaign"]