Chinese hackers use new Atlas RAT malware in European cyberattacks

Summary

A Chinese-speaking cybercrime group tracked as TA4922 has expanded operations into Europe, deploying previously undocumented malware including Atlas RAT, RomulusLoader, and SilentRunLoader. The group uses localized phishing lures and multi-channel contact methods targeting Germany, Italy, the UK, and South Africa. Proofpoint reports TA4922 conducts more unique campaigns than any other tracked cybercrime actor, with capabilities that could be leveraged or sold to espionage groups.

Full text

Chinese hackers use new Atlas RAT malware in European cyberattacks By Bill Toulas June 3, 2026 05:45 PM 0 A Chinese-speaking cybercrime group has expanded its targeting to the European space, deploying previously undocumented malware and the Atlas backdoor. Tracked as TA4922, the threat actor is associated with financially motivated attacks aimed at breaching target networks for fraud, data theft, and the sale of access. TA4922 has previously targeted organizations in East Asia, but recent campaigns have focused on entities in Germany, Italy, the United Kingdom, and South Africa. Researchers at cybersecurity company Proofpoint note that TA4922 shares overlaps with activity previously reported as ‘Silver Fox’ and ‘Void Arachne. However, the activity cluster is tracked separately as it is more consistent with cybercrime than espionage. Since March, TA4922’s activity has increased sharply, and since April, it has shown unprecedented operational diversity and high tempo. “TA4922 currently conducts more unique campaigns than any other tracked cybercrime threat actor in Proofpoint threat data, demonstrating high operational tempo, a variety of lures, and multiple objectives,” Proofpoint says in a report today. “While the actor is assessed to be financially motivated, the capabilities of the malware include the potential for surveillance, which could be used by or sold to espionage groups.” The attacker uses localized phishing lures crafted to appear as payroll notices, tax audits, VAT filings, government compliance notices, invoices, and human resources communications. The threat group also attempts to contact victims via WhatsApp, the LINE messenger, and Microsoft Teams. German lureSource: Proofpoint Atlas RAT and custom loaders Proofpoint reports that TA4922 has significantly expanded its malware arsenal and believes the hackers may be using large language models (LLMs) to accelerate malware development. This conclusion is based on the presence of placeholder values, code comments, and patterns commonly associated with AI-generated code. Proofpoint’s report highlights Atlas RAT, a recently identified remote access trojan that offers attackers the following capabilities: System reconnaissance Targeted file theft Plugin and payload downloads Keylogging Screenshot capturing Audio and webcam recording System shutdown/reboot commands The malware features several anti-sandbox and anti-analysis checks, including looking for usernames and registry keys associated with Microsoft Defender Application Guard, the “CExecSvc” service, and OS UUID. Checks performed by the Atlas RAT loaderSource: Proofpoint The researchers also discovered a new malware loader named RomulusLoader, which downloads and executes additional payloads using process hollowing, shellcode injection, and direct execution. RomulusLoader was deployed to launch legitimate remote management tools such as AnyDesk and SyncFuture, a remote monitoring software tool popular in China. Weirdly, the latter was used in attacks targeting German entities. Overview of the RomulusLoader operationSource: Proofpoint Proofpoint also identified a Python-based loader and information stealer called SilentRunLoader, which steals from Google Chrome credentials, cookies, and browsing data. That malware was deployed against organizations in the United Kingdom and Southeast Asia, using lures that impersonated government services. Finally, the researchers spotted the deployment of Winos4.0, a previously documented malware family that Proofpoint tracks as ValleyRAT and which provides operators with a full set of remote access features. According to Proofpoint, TA4922 is responsible for "more unique campaigns" than any other threat actor the company tracks. The group is moving quickly and uses multiple lures. According to the researchers, the capabilities of the malware used by this actor have "the potential for surveillance which could be used by or sold to espionage groups." Proofpoint's report includes indicators of compromise for the malware and command-and-control (C2) infrastructure used in TA4922's attacks. Test every layer before attackers do Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection. Get the whitepaper Related Articles: Telegram Mini Apps abused for crypto scams, Android malware deliveryOver 116,000 Minecraft systems infected in WeedHack malware campaignWordPress malware campaign hides payloads in Steam profilesChatGPT share links abused to host fake outage pages to deliver malwareDutch govt disrupts malware botnet with 17 million infected devices

Indicators of Compromise

• malware — Atlas RAT
• malware — RomulusLoader
• malware — SilentRunLoader
• malware — Winos4.0

Entities