The Chinese-speaking cybercrime group TA4922 shifted its focus to Europe in March 2026. A new report from Proofpoint documents campaigns targeting Germany, Italy, the United Kingdom, and South Africa using a previously unseen arsenal: the Atlas RAT remote access trojan, RomulusLoader, SilentRunLoader, and highly localized phishing tactics. Proofpoint also assesses the potential use of large language models (LLMs) to accelerate the group's malware development cycles.
- TA4922 is tracked by Proofpoint as a Chinese-speaking cybercrime group, distinct from "Silver Fox" and "Void Arachne" due to its consistent financial motivations.
- Activity surged drastically in March 2026; since April, the group has demonstrated "operational diversity and high tempo" within Proofpoint’s datasets.
- Atlas RAT is a previously undocumented remote access trojan featuring anti-sandbox checks based on the detection of Microsoft Defender Application Guard, the CExecSvc service, and OS UUID.
- Proofpoint identified patterns associated with AI-generated code, including unmodified placeholder values, specific code comments, and recurring structures that suggest LLM-assisted development.
Target Geography: From East Asia to Europe
TA4922 has historically concentrated its operations in Japan, Taiwan, South Korea, Singapore, and India. The pivot toward European markets, documented in campaigns throughout March and April 2026, involves a significant shift in social engineering lures.
Emails and messages—distributed via WhatsApp, LINE, and Microsoft Teams—exploit local administrative themes, including payroll notices, tax audits, VAT declarations, government compliance communications, invoices, and HR documentation.
The localization is precise. In the UK, tax-themed campaigns delivered malware via MediaFire links distributed through email. In Germany, Proofpoint confirms the use of SyncFuture—a remote monitoring software popular in China—as a post-compromise tool. The specificity of these themes indicates detailed preliminary reconnaissance of the administrative cycles within target countries.
"TA4922 currently conducts more unique campaigns than any other tracked cybercrime threat actor in Proofpoint threat data, demonstrating high operational tempo, a variety of lures, and multiple objectives" — Proofpoint, via BleepingComputer
The Attack Chain: Loaders and Living-off-the-Land
TA4922 utilizes a modular malware infrastructure. RomulusLoader, a newly identified loader, downloads and executes additional payloads through process hollowing, shellcode injection, and direct execution. SilentRunLoader is active in UK and European campaigns, utilizing DLL sideloading where a legitimate executable is used to load a malicious library.
The attack chain typically converges on Atlas RAT for remote access, or Winos4.0/ValleyRAT, a documented malware family with full system control capabilities. Persistence is maintained via legitimate Remote Monitoring and Management (RMM) tools: AnyDesk for remote access and SyncFuture for monitoring. The abuse of software with valid digital signatures significantly reduces the visibility of these activities to endpoint defenses.
Atlas RAT incorporates sophisticated environment detection mechanisms, searching for specific usernames, registry keys, and services typical of sandboxes and security containers, including Microsoft Defender Application Guard and the CExecSvc service. This emphasis on evasion suggests development cycles that include rigorous testing against commercial security products.
AI-Generated Code and the Cybercrime-Espionage Nexus
Proofpoint provides a technical assessment regarding the group's development methods: malware samples attributed to TA4922 contain unmodified placeholder values, code comments, and structural patterns commonly associated with generative language model outputs. The analysis suggests that using LLMs to prototype or accelerate malware development is lowering the entry barrier for criminal actors, enabling faster iteration cycles.
This speed likely accounts for the "high tempo" observed in April 2026. When a cybercrime group can generate loader and RAT variants in compressed timeframes, signature-based countermeasures become reactive and systematically delayed. The report does not specify which LLMs or toolchains are involved, nor does it provide statistical comparisons with pre-2026 samples.
Proofpoint emphasizes the dual nature of this threat. "While the actor is assessed to be financially motivated, the capabilities of the malware include the potential for surveillance, which could be used by or sold to espionage groups." The ability to maintain persistent remote access, combined with anti-analysis features and geographic localization, represents a highly valuable asset for resale.
Strategic Defenses and Mitigation
TA4922 campaigns are distinguished by their localization precision rather than the technical sophistication of their initial vectors. Effective countermeasures should focus on three specific areas identified in the report.
First, phishing themes replicate real-world administrative processes—payroll, VAT, tax audits, and government compliance. Security teams must align phishing simulations with the actual fiscal cycles of the countries where the organization operates, rather than relying on generic templates. The UK VAT campaign, for instance, coincided with actual British filing deadlines.
Second, the abuse of legitimate RMM tools—specifically AnyDesk and SyncFuture—requires endpoint execution policies that track these tools as high-risk software rather than trusted applications by default. SyncFuture, while popular in China, is rare in Europe and warrants particular scrutiny in network logs.
Third, RomulusLoader and SilentRunLoader utilize documented techniques—process hollowing, shellcode injection, and DLL sideloading—that modern EDR solutions detect when correctly configured. The priority is not necessarily the acquisition of new tools, but verifying that detection rules for these specific techniques are active and not disabled for operational convenience.
The Proofpoint report includes indicators of compromise (IoCs) for the malware and C2 infrastructure. SOCs must ensure these IoCs are ingested into threat intelligence feeds before the June-July 2026 campaigns, which typically see increased volume due to European fiscal cycles.
Closing
TA4922 demonstrates that Chinese-speaking cybercrime is investing heavily in localization and development speed over technical complexity. The expansion from East Asia to Europe within four months, featuring more unique campaigns than any other actor tracked by Proofpoint, indicates significant resources and organization. While the assessment of LLM usage remains pattern-based, the operational data—the minimal time between the reconnaissance of an administrative cycle and the launch of a corresponding campaign—is measurable and accelerating. For defenders, the advantage lies in recognizing that social engineering has become the primary differentiator, rather than the underlying malware.
Information is based on the cited source and is current at the time of publication.
Sources
- https://www.bleepingcomputer.com/news/security/chinese-hackers-use-new-atlas-rat-malware-in-european-cyberattacks/
- https://hackread.com/china-ta4922-hackers-uk-europe-silentrunloader-malware/
- https://thehackernews.com/2026/05/jinx-0164-targets-cryptocurrency-firms.html
- https://nvd.nist.gov/vuln/detail/CVE-2025-33053
- https://nvd.nist.gov/vuln
- https://nvd.nist.gov/vuln/search
- https://nvd.nist.gov/vuln/categories
- https://nvd.nist.gov/vuln/data-feeds
- https://nvd.nist.gov/vuln/vendor-comments