China-Linked TA4922 Expands Phishing Attacks to U.K., Germany, Italy, and South Africa  Ravie Lakshmanan  Jun 04, 2026 Malware / Cybercrime A new China-linked cybercrime group known as TA4922 has expanded its targeting focus to target European organizations in the U.K., Germany, Italy, and South Africa. These efforts have been complemented by a "rapid operational tempo" and a continually evolving malware arsenal comprising known families like ValleyRAT (aka Winos 4.0) and Atlas RAT (aka AtlasCross RAT), as well as previously undocumented tools called RomulusLoader and SilentRunLoader , according to Proofpoint. The enterprise security company is keeping tabs on the activity under the moniker TA4922, describing it as a Chinese-speaking threat actor largely targeting East Asia. TA4922 is assessed to share some level of overlap with Silver Fox , with the threat actor's tradecraft more focused on cybercriminal objectives than espionage. "The actor is likely financially motivated and focused on obtaining remote access to victim environments for financial gain, such as data theft, fraud, access resale, or persistent access," the company said , characterizing it as an adversary conducting "more unique campaigns" than any other threat actor it tracks. In recent months, however, attacks mounted by the hacking group have relied on phishing campaigns using human resources- and business-themed lures for credential phishing, fraud, and malware delivery, including Atlas RAT, RomulusLoader, and SilentRunLoader. Another notable shift involves attempts to move conversations from emails to out-of-band communication channels like LINE, WhatsApp, and Microsoft Teams, allowing the attackers to bypass enterprise security controls and steal data or deliver malware. Details of some of the recently observed TA4922 phishing campaigns are below - March 6, 2026: Using human resources-related lures in attacks targeting Japanese organizations to deliver Atlas RAT via DLL side-loading March 23, 2026: Using corporate- and human resources-themed lures in attacks targeting Japanese organizations to deliver a C-based loader called RomulusLoader via DLL side-loading March 30, 2026: Using tax authority-related lures in attacks targeting organizations in the U.K. to deliver a vibe-coded Python-based loader and stealer called SilentRunLoader, which then drops an executable to harvest sensitive data from Google Chrome including stored credentials, cookies, and browsing information April 2, 2026: Using human resources communication lures in attacks targeting organizations in the U.K. and Germany to deliver Atlas RAT via DLL side-loading April 7, 2026: Using invoice-related lures in attacks targeting Japanese organizations to deliver Atlas RAT via DLL side-loading April 10, 2026: Using benefits- and compliance-themed lures in attacks targeting organizations across Southeast Asia and the U.K. to deliver SilentRunLoader via DLL side-loading and exfiltrate Chrome data Mid-April 2026: Using business- and tax-related themes in attacks targeting organizations in Japan and Germany to deliver RomulusLoader, which is then used to deploy AnyDesk and SyncFuture via DLL side-loading "While the actor is assessed to be financially motivated, the capabilities of the malware include the potential for surveillance, which could be used by or sold to espionage groups," Proofpoint said. "The global nature of this actor shows how organizations should be aware of emerging and complex threats, regardless of geographic targeting. These types of actors can quickly expand and scale their tactics to include more targets at any time." Found this article interesting? Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post. SHARE      Tweet  Share  Share  Share   Share on Facebook  Share on Twitter  Share on Linkedin  Share on Reddit  Share on Hacker News  Share on Email  Share on WhatsApp Share on Facebook Messenger  Share on Telegram SHARE  china , Credential Theft , Cybercrime , cybersecurity , data theft , Malware , Phishing , Proofpoint , Remote Access Trojan ⚡ Top Stories This Week Chrome V8 Zero-Day CVE-2026-11645 Exploited in the Wild - Patch Now New FROST Attack Lets Websites Track What Sites and Apps You Open via SSD Timing One-Character Linux Kernel Flaw Enables Local Root Access, Exploits Now Public ⚡ Weekly Recap: Instagram Account Hacks, Android Zero-Day, GitHub Worm and More New ChatGPT Lockdown Mode Limits Tools That Could Enable Data Exfiltration Free Apps Are Quietly Turning Smart TVs Into Web-Scraping Proxies for AI AI Agent Uncovers 21 Zero-Days in FFmpeg; Chrome Patches Record 429 Bugs Miasma Worm Hits 73 Microsoft GitHub Repositories in Major Supply Chain Attack Cisco Patches CVE-2026-20230 in Unified CM as Exploit Code Goes Public Claude Code GitHub Action Flaw Let One Malicious Issue Hijack Repositories Microsoft Fixes One-Click GitHub Dev Attack That Let Attackers Steal OAuth Tokens Autonomous AI Tool Finds 2-Year-Old RCE Flaw in Redis (CVE-2026-23479) Microsoft 365 Android Apps Let Any App Steal Account Tokens via Leftover Debug Flag Unpatched Windows Search URI Vulnerability Lets Attackers Steal NTLMv2 Hashes New HTTP/2 Bomb Vulnerability Allows Remote DoS on NGINX, Apache, IIS, Envoy and Cloudflare ThreatsDay Bulletin: AI Agents Gone Wrong, Sketchy C2 Tools, ClickFix Tricks, JS Backdoors + 20 New Stories ⭐ Featured Resources Get the 2026 Guide to Govern and Secure Enterprise AI Agents at Scale Catch 88% of Malware Threats in Under 60 Seconds with Live Sandbox Analysis [Guide] Transform Network Operations with Intelligent Workflows See How Agentic AI Cuts Your SOC Triage Time in Half [Get a Demo]