[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fma4zIhQ1OFvPWftMN8gXJDmZp9v61gMJA0kxqRzLPHs":3},{"article":4,"iocs":49},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":33,"category":34,"article_tags":38},"80541d67-38a2-4b47-9d56-32699fef884c","Chinese Cybercrime Group in Spotlight for Record Campaign Pace","chinese-cybercrime-group-in-spotlight-for-record-campaign-pace-4e9644","Relying on social engineering, the hacking group engages in credential phishing, malware distribution, and fraud activities. The post Chinese Cybercrime Group in Spotlight for Record Campaign Pace appeared first on SecurityWeek.","Proofpoint reports that Chinese-speaking cybercrime group TA4922 has significantly escalated its malicious activities, expanding from Asia-Pacific targets to Europe and Africa. The group uses social engineering, credential phishing, and multiple malware families (Atlas RAT, RomulusLoader, SilentRunLoader, ValleyRAT) to gain remote access for data theft, fraud, and access resale. TA4922 now conducts more unique campaigns than any other tracked cybercrime actor, demonstrating advanced tradecraft and high operational tempo despite purely financial motivation.","Chinese cybercrime group TA4922 escalates campaign pace targeting Asia, Europe with malware and phishing.","A Chinese-speaking cybercrime group tracked as TA4922 has been escalating activities and expanding to new geographies, Proofpoint reports. Relying on social engineering, the hacking group has been continually updating its arsenal, distributing multiple malware families and also engaging in credential phishing and fraud schemes such as credit card theft. While some of TA4922’s activities overlap with those of the threat actors tracked as Silver Fox and Void Arachne, the group does not appear to engage in espionage, unlike those clusters. “The campaigns attributed to TA4922 align more closely with cybercriminal objectives despite the actor’s advanced tradecraft,” Proofpoint says. The cybersecurity firm has been tracking TA4922 malicious email campaigns for over a year and believes that its focus is to obtain remote access to victim organizations for data theft, access resale, fraud, and other financially motivated activities. Using HR, payroll tax, and invoicing themes, the hacking group attempts to lure victims into clicking on malicious links to download malicious payloads or unwittingly share their credentials.Advertisement. Scroll to continue reading. Historically, the cybercrime gang has sent hundreds to a few thousand messages per campaign, tailored to specific regions or business functions, targeting organizations in Japan, Taiwan, Korea, Singapore, and India. Recently, the group also started targeting European organizations in the UK, Germany, and Italy, as well as entities in South Africa. TA4922 was also seen launching credential-phishing and imposter campaigns, looking to shift communication from email to out-of-band channels, including messaging platforms such as LINE, WhatsApp, or Microsoft Teams. “Once communication moves to those platforms, the actor is better positioned to extend social engineering, harvest contact information, or deliver malware beyond traditional email security visibility,” Proofpoint says. In March, the threat actor used HR lures in campaigns targeting organizations in Japan with the Atlas RAT backdoor and the RomulusLoader malware loader. In April, the group used HR lures and previous infrastructure in Atlas RAT attacks against organizations in the UK and Germany, but switched to customer service communications lures in another campaign. Multiple April campaigns attributed to TA4922 relied on RomulusLoader to install legitimate Remote Monitoring and Management (RMM) tools, including AnyDesk and SyncFuture. At the end of March, the group targeted UK organizations with the SilentRunLoader Python‑based loader and stealer to exfiltrate credentials, cookies, and browsing information from Google Chrome. In April, SilentRunLoader was used in attacks against entities in Southeast Asia and the UK. According to Proofpoint, the cybercrime gang has also been observed using the ValleyRAT (Winos4.0) backdoor and other malware families in attacks. “TA4922 currently conducts more unique campaigns than any other tracked cybercrime threat actor in Proofpoint threat data, demonstrating high operational tempo, a variety of lures, and multiple objectives. While the actor is assessed to be financially motivated, the capabilities of the malware include the potential for surveillance which could be used by or sold to espionage groups,” Proofpoint notes. Related: Chinese APTs Expand Targets, Update Backdoors in Recent Campaigns Related: Palo Alto Zero-Day Exploited in Campaign Bearing Hallmarks of Chinese State Hacking Related: Alleged Chinese State Hacker Extradited to US Related: Chinese Hackers Caught Deep Within Telecom Backbone Infrastructure Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Ionut Arghire Organizations Warned of Exploited Linux Kernel Vulnerability‘HTTP\u002F2 Bomb’ Exploit Knocks Web Servers Offline in SecondsCritical Vulnerability in HP VoIP Phones Enables Enterprise Network BreachesMeta AI Hands Over High-Profile Instagram Accounts to HackersSupply Chain Attack Hits 32 Red Hat NPM PackagesOracle’s First Monthly Patches Resolve 77 VulnerabilitiesWP Maps Pro Vulnerability Exploited to Take Over WordPress SitesDutch Police Dismantle Massive 17-Million-Device Botnet Latest News Over 1.4 Million Accounts Disrupted in Cybercrime CrackdownCisco Warns of Available PoC for Critical Unified CM VulnerabilityVS Code Vulnerability Allows One-Click GitHub Token TheftCoralogix Raises $200M at $1.6B Valuation to Scale AI Observability PlatformKirki, Burst Statistics WordPress Plugin Flaws in Attackers’ CrosshairsSecurity of 100 AI Agents Tested and Ranked – What You Need to KnowHackers Target Global Stock Exchange in Espionage OperationIMA Diligence Services Data Breach Impacts 525,000 People Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Third-Party Risk in Practice June 4, 2026 Organizations are investing heavily in third-party risk management, but breaches, delays, and blind spots continue to persist. Join this live webinar as we examine the gap between how organizations think their third-party risk programs are performing and what’s actually happening in practice. Register Virtual Roundtable: CISO Forum 2026 Mid-Year Review June 10, 2026 Explore how attackers are using AI to scale threats and how security teams can respond with AI-driven defenses. Protecting against unmonitored use of generative AI (Shadow AI) in business units and building and enforcing AI governance frameworks. Register People on the MoveSupriya Ahuja has been named Acting Deputy Chief Information Security Officer at DHS.Apiiro has appointed Wes Dobry as Field Chief Technology Officer.Rapid7 announced that Wael Mohamed will assume the role of Chief Executive Officer, replacing current Chief Executive Officer Corey Thomas, who will become Executive Chairman of the Board.More People On The MoveExpert Insights The Zero-Knowledge Threat Actor and the End of Responsible Disclosure AI can help attackers generate malware, create malicious payloads, bypass simple security checks, and convert vague malicious intent into functional code. (Etay Maor) Raising the Cybersecurity Stakes: Ante up for the Agentic Era CISOs are now facing machine-speed attacks and asking, “How do I agent?” The industry must provide remediation at scale. (Nadir Izrael) Caught Off Guard: Securing AI After It Hits Production As enterprises rush AI projects into production, security teams are increasingly being forced into reactive mode. (Joshua Goldfarb) Cyber Resilience is the New Business Continuity Plan The organizations best prepared to face disruption are those that align security, continuity and risk management around what the business cannot afford to lose. (Steve Durbin) Enhancing Data Center Security Without Sacrificing Performance For AI data centers, where the stakes are the highest and performance constraints are the tightest, security and performance are no longer a zero-sum game. (Nadir Izrael) Flipboard Reddit Whatsapp Whatsapp Email","https:\u002F\u002Fwww.securityweek.com\u002Fchinese-cybercrime-group-ta4922-in-spotlight-for-record-campaign-pace\u002F","https:\u002F\u002Fwww.securityweek.com\u002Fwp-content\u002Fuploads\u002F2024\u002F12\u002FChinese-hacker.jpeg","2026-06-04T11:29:28+00:00","2026-06-04T12:00:20.866611+00:00",8,[18,21,23,25,28,31],{"name":19,"type":20},"TA4922","threat_actor",{"name":22,"type":20},"Silver Fox",{"name":24,"type":20},"Void Arachne",{"name":26,"type":27},"Proofpoint","vendor",{"name":29,"type":30},"AnyDesk","product",{"name":32,"type":30},"SyncFuture","89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5",{"id":33,"icon":35,"name":36,"slug":37},null,"Malware","malware",[39,44],{"category":40},{"id":41,"icon":35,"name":42,"slug":43},"6cbdd207-aaa1-4176-9534-e156b125e917","Nation-state","nation-state",{"category":45},{"id":46,"icon":35,"name":47,"slug":48},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[50,53,56,59],{"type":37,"value":51,"context":52},"Atlas RAT","Backdoor used in March HR-themed campaigns targeting Japanese organizations",{"type":37,"value":54,"context":55},"RomulusLoader","Malware loader used to install RMM tools AnyDesk and SyncFuture in April campaigns",{"type":37,"value":57,"context":58},"SilentRunLoader","Python-based loader and stealer targeting credentials, cookies, and browser data; used against UK and Southeast Asia",{"type":37,"value":60,"context":61},"ValleyRAT (Winos4.0)","Backdoor used in TA4922 attacks"]