A China-linked cybercrime group known as TA4922 has broadened phishing campaigns to organizations in the U.K., Germany, Italy and South Africa, while continuing to target East Asia, according to a technical analysis by Proofpoint. The activity has used malware families including ValleyRAT, Atlas RAT, RomulusLoader and SilentRunLoader.
KEY FACTS
- Targeting TA4922 has expanded from East Asia to organizations in Europe and South Africa.
- Malware Campaigns have delivered Atlas RAT, RomulusLoader and SilentRunLoader.
- Lures Emails have used human resources, business, tax, invoice, benefits and compliance themes.
- Tactic The group has pushed conversations to LINE, WhatsApp and Microsoft Teams.
The report says the group is likely financially motivated and focused on remote access for data theft, fraud, access resale or persistent access. It also describes overlap with Silver Fox and says TA4922 has a rapid operational tempo and a changing malware arsenal.
Recent campaigns include attacks on Japanese, U.K., German and Southeast Asian organizations. On March 30, 2026, the group used tax authority lures against U.K. targets to deliver SilentRunLoader, which then harvested Chrome credentials, cookies and browsing data.
Other activity cited in the report includes March attacks on Japanese organizations that delivered Atlas RAT and RomulusLoader through DLL side-loading, and April activity against U.K. and German organizations that used human resources lures to deliver Atlas RAT. Mid-April campaigns used business and tax themes to deploy RomulusLoader and additional tools.
WHY IT MATTERS
The campaigns show how phishing groups can move across regions and adjust lures quickly while using multiple delivery methods. The shift to out-of-band chat platforms may also help attackers avoid email security controls and widen the range of victims.