A new China-linked cybercrime group known as **TA4922** has significantly expanded its targeting focus, now including European organizations in the U.K., Germany, Italy, and South Africa. ### Rapid Operational Tempo and Evolving Malware According to enterprise security company **Proofpoint**, **TA4922** operates with a "rapid operational tempo" and continually evolves its malware arsenal. This includes known families such as **ValleyRAT** (also known as Winos 4.0) and **Atlas RAT** (also known as AtlasCross RAT), alongside previously undocumented tools named **RomulusLoader** and **SilentRunLoader**. **Proofpoint** has been tracking **TA4922** as a Chinese-speaking threat actor primarily targeting East Asia. The group is assessed to share some overlap with **Silver Fox**, though its tradecraft leans more towards cybercriminal objectives rather than traditional espionage. "The actor is likely financially motivated and focused on obtaining remote access to victim environments for financial gain, such as data theft, fraud, access resale, or persistent access," **Proofpoint** stated, characterizing **TA4922** as an adversary conducting "more unique campaigns" than any other threat actor it tracks. ### Sophisticated Phishing and Out-of-Band Communication In recent months, **TA4922**'s attacks have increasingly relied on phishing campaigns. These typically use human resources- and business-themed lures for credential harvesting, fraud, and malware delivery, including **Atlas RAT**, **RomulusLoader**, and **SilentRunLoader**. A notable shift in their tactics involves moving conversations from email to out-of-band communication channels. Platforms like **LINE**, **WhatsApp**, and **Microsoft Teams** are leveraged, allowing attackers to bypass enterprise security controls and facilitate data theft or malware delivery. ### Recent Campaign Highlights: * **March 6, 2026:** Human resources-related lures targeted Japanese organizations, delivering **Atlas RAT** via DLL side-loading. * **March 23, 2026:** Corporate and human resources-themed lures were used against Japanese organizations to deliver **RomulusLoader**, a C-based loader, via DLL side-loading. * **March 30, 2026:** Tax authority-related lures targeted U.K. organizations, deploying **SilentRunLoader**, a Python-based loader and stealer. This tool then drops an executable to harvest sensitive data from **Google Chrome**, including stored credentials, cookies, and browsing information. * **April 2, 2026:** Human resources communication lures targeted organizations in the U.K. and Germany, delivering **Atlas RAT** via DLL side-loading. * **April 7, 2026:** Invoice-related lures were used in attacks against Japanese organizations to deliver **Atlas RAT** via DLL side-loading. * **April 10, 2026:** Benefits- and compliance-themed lures were deployed against organizations across Southeast Asia and the U.K. to deliver **SilentRunLoader** via DLL side-loading and exfiltrate Chrome data. * **Mid-April 2026:** Business- and tax-related themes targeted organizations in Japan and Germany to deliver **RomulusLoader**, subsequently used to deploy **AnyDesk** and **SyncFuture** via DLL side-loading. ### Implications for Global Security While **TA4922** is primarily assessed to be financially motivated, the capabilities of its malware suggest a potential for surveillance, which could be utilized by or sold to espionage groups. **Proofpoint** warns that the global nature of this actor underscores the necessity for organizations worldwide to remain vigilant against emerging and complex threats, regardless of their current geographic targeting. Such actors can rapidly expand and scale their tactics to include more targets at any given time.