Proofpoint reported that suspected China-linked cybercrime group TA4922 has expanded beyond its traditional East Asia focus and is now targeting organizations in the UK, Germany, Italy, South Africa, and other regions with localized phishing campaigns. The actor has used lures tied to tax filings, payroll, benefits, invoices, HR notices, and compliance requests to trick recipients into opening attachments, clicking links, or continuing email conversations, with activity increasing from spring 2025 and intensifying in March and April 2026.
The campaigns delivered credential phishing and malware including SilentRunLoader, Atlas RAT, RomulusLoader, and Winos4.0/ValleyRAT. Proofpoint said the group relies on DLL sideloading, anti-analysis techniques, process injection, and selective payload delivery, while also abusing legitimate remote-management and file-sharing tools such as AnyDesk, SyncFuture, GoFile, LimeWire, and MediaFire to blend into normal activity and maintain access. Researchers assessed the actor as primarily financially motivated, pursuing credential theft, fraud, data theft, persistence, and access resale, and said code artifacts in the Python-based SilentRunLoader suggest some malware development may have been assisted by large language models.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
6 events from the most recent confirmed update back to the earliest known activity.
Proofpoint reported that TA4922 pushes targets from email into out-of-band platforms including LINE, WhatsApp, and Microsoft Teams to continue social engineering and deliver malware outside normal email security visibility. The tactic adds a new publicly described element to the group's tradecraft.
Proofpoint reported that TA4922's malware arsenal includes ValleyRAT in addition to Atlas RAT, RomulusLoader, and SilentRunLoader. This expands the set of malware families publicly associated with the financially motivated group.
Proofpoint said that in March and April 2026, TA4922 conducted multiple campaigns using tax, payroll, HR, benefits, compliance, and invoicing themes to deliver credential phishing, fraud, and malware.
Proofpoint reported that since spring 2025, TA4922 expanded beyond its historical East Asia focus and began targeting organizations more broadly, including in Europe and South Africa, using localized social-engineering campaigns.
Proofpoint assessed with high confidence that some newer Python malware associated with TA4922 was likely developed with assistance from large language models, citing placeholder strings and coding artifacts observed in SilentRunLoader.
Proofpoint disclosed newly identified malware used by TA4922, including Atlas RAT, RomulusLoader, and SilentRunLoader, and described associated techniques such as DLL sideloading, anti-analysis checks, process injection, selective payload delivery, and Chrome data theft.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
8 references tracked. Mallory keeps watching after this page renders.
securityonline.info
Open sourcecommunity.gurucul.com
Open sourcecybersecuritynews.com
Open sourcethehackernews.com
Open sourcedarkreading.com
Open sourcehackread.com
Open sourcebleepingcomputer.com
Open sourceproofpoint.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.