China-Linked TA4922 Hackers Target UK, Europe With New SilentRunLoader Malware

Summary

Proofpoint reports that TA4922, a suspected China-aligned cybercrime group, is expanding from East Asia to target organisations in the UK, Germany, Italy, and South Africa with phishing campaigns themed around tax, payroll, and benefits. The group's updated toolkit includes SilentRunLoader, a Python-based stealer and loader likely developed with LLM assistance, alongside variants of ValleyRAT, Atlas RAT, and RomulusLoader. TA4922 employs DLL sideloading, legitimate remote management tools (AnyDesk, SyncFuture), and credential theft to establish persistent access.

Full text

Security Cyber Attacks Cyber Crime MalwareChina-Linked TA4922 Hackers Target UK, Europe With New SilentRunLoader Malware Proofpoint says TA4922, a suspected China aligned cybercrime group, is targeting UK and European organisations with tax, payroll and benefits themed malware campaigns. byWaqasJune 3, 20263 minute read A suspected China-aligned cybercrime group tracked as TA4922, previously known for targeting organisations in East Asia, is now running campaigns against organisations in the UK, Germany, Italy, and South Africa. Proofpoint researchers said the group has increased its attacks in recent months, using familiar phishing tactics with a growing set of malware tools. The activity includes credential theft, fraud attempts, remote access malware, and the use of legitimate remote management software to help maintain access inside victim networks. Targeting UK Organisations For UK organisations, the most relevant activity involves emails designed to look like routine government or business communications. One campaign impersonated tax authorities and referenced VAT filings, payroll tax documents, and regulatory compliance. Another used benefits and compliance-themed messages that copied the language of government and universal benefits services. Those lures, according to researchers, were not generic spam as they were written around local business processes that employees already deal with, such as tax paperwork, HR notices, salary files, invoices, and compliance requests. That approach gives attackers a better chance of getting a recipient to open a file, click a link, or move the conversation to another channel. Proofpoint said TA4922 has historically targeted Japan and other parts of Asia, including Taiwan, Korea, Singapore, and India. The newer activity suggests the group is testing a wider victim pool, with European and African organisations now appearing in its campaigns. A tax-themed phishing email impersonates HMRC, and a benefits-themed phishing email uses a shortened link to send recipients to download malware. (Image credit: Proofpoint) Updated Malware Kit The group’s malware toolkit has also grown. Proofpoint reported the use of variants of ValleyRAT, also known as Winos4.0, Atlas RAT, RomulusLoader, and SilentRunLoader. Each tool plays a different role, from gaining remote access to loading further payloads or stealing browser data. SilentRunLoader, a newer Python-based stealer and loader, was likely developed with help from large language models (LLMs). It is one of the more notable additions to TA4922’s toolkit because it targets data stored in Google Chrome. Proofpoint said the malware can collect stored credentials, cookies, and browsing information before sending the data to attacker-controlled infrastructure. In the UK tax-themed campaign, the malware was hosted through MediaFire and delivered through links embedded in emails. TA4922 has also used DLL sideloading, a technique where a malicious file is loaded by a legitimate executable. For a victim, the file may appear to be part of a normal document package or business application. In practice, it can start malware while making the activity harder to spot during routine scans. Another part of the group’s modus operandi is the use of legitimate remote management tools such as AnyDesk and SyncFuture. These products have valid business uses, but attackers can abuse them after gaining access, giving them a way to control systems while their activity appears less obviously malicious. Proofpoint also assessed with high confidence that some of TA4922’s newer Python malware was likely developed with help from large language models. Researchers pointed to code comments, strings, and unchanged placeholder values as signs that the actor may be using AI tools to produce malware faster. The diagram shows how RomulusLoader works in this campaign (Image credit: Proofpoint) Financially Motivated Attacks Proofpoint’s report, shared with Hackread.com, states that the actor appears financially motivated, with activity aimed at remote access, data theft, fraud, access resale, or persistent access. Some of TA4922’s tools have similarities with those used in espionage cases, but Proofpoint is treating the group as a separate cybercrime operation. The research also adds TA4922 to the growing list of financially motivated groups using a mix of malware, phishing, trusted services, and AI-assisted development. The group’s move into the UK and other regions shows that campaigns once concentrated in East Asia are now becoming a direct concern for more international organisations. Nevertheless, organisations must beware of administrative-themed cyber attacks where tax filings, payroll documents, benefits notices, and compliance requests may sound ordinary at first but make them a useful cover for attackers. That’s why employee cybersecurity training is a must. Waqas I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cybersecurity and tech world. I am also into gaming, reading and investigative journalism. View Posts Atlas RATChinaCyber AttackCyber CrimeCybersecurityDLLPhishingProofpointRomulusLoaderSilentRunLoaderTA4922ValleyRATWinos4.0 Leave a Reply Cancel reply View Comments (0) Related Posts Read More Security How Adversaries Exploit the Blind Spots in Your EASM Strategy Internet-facing assets like domains, servers, or networked device endpoints are where attackers look first, probing their target’s infrastructure… byUzair Amir Cyber Crime Cyber Attacks 52 Critical Infrastructure Orgs Hit by Ragnar Locker Ransomware Gang – FBI According to the FBI’s advisory, Ragnar Locker ransomware operators have targeted ten different sectors including energy, manufacturing, government,… byDeeba Ahmed Read More Security OwnCloud “graphapi” App Vulnerability Exposes Sensitive Data The vulnerability is tracked as CVE-2023-49103 and declared critical with a CVSS v3 Base Score 10. byDeeba Ahmed Cyber Crime Malware Security Hackers Selling FUD Stampado Ransomware for Just $39 Hackers are selling Stampado Ransomware on the dark net for just $39 — They claim it’s FUD (fully undetectable)! The Dark… byWaqas

Indicators of Compromise

• malware — SilentRunLoader
• malware — ValleyRAT
• malware — Atlas RAT
• malware — RomulusLoader

Entities