Contact us
Contact us

News

About

Home Crypto News China-linked TA4922 targets U.K., Germany, Italy and South Africa

China-linked TA4922 targets U.K., Germany, Italy and South Africa

Author Whitewallet Research
Posted: 4 June 2026, 12:35 CET 2 min read

China-linked TA4922 expanded HR- and business-themed phishing to the U.K., Germany, Italy and South Africa, deploying Atlas RAT, ValleyRAT, RomulusLoader and SilentRunLoader.

TA4922, a Chinese-speaking cybercrime group tracked by security firm Proofpoint, expanded phishing campaigns in early 2026 to target organizations in the U.K., Germany, Italy and South Africa. The attacks used human-resources and business-themed lures to prompt recipients to open malicious files or links.

Proofpoint observed the group sending emails that mimicked HR, corporate, tax and invoice communications to harvest credentials, commit fraud and deliver remote-access trojans and loaders. Observed malware includes Atlas RAT (also called AtlasCross RAT), ValleyRAT (Winos 4.0), and two previously undocumented loaders, RomulusLoader and SilentRunLoader.

Proofpoint mapped a series of campaigns from March to mid-April 2026. On March 6, HR-themed messages to Japanese organizations delivered Atlas RAT via DLL side-loading. On March 23, a C-based loader identified as RomulusLoader was used against Japanese targets with corporate and HR pretexts. On March 30, a tax-themed campaign in the U.K. deployed a Python-based loader and stealer named SilentRunLoader, which dropped an executable that harvested Google Chrome stored credentials, cookies and browsing data.

In April, the actor continued HR- and benefits-themed campaigns that delivered Atlas RAT and SilentRunLoader to targets in the U.K., Germany and Southeast Asia. Mid-April activity used business- and tax-related lures to deploy RomulusLoader, which then installed AnyDesk and SyncFuture via DLL side-loading.

Operators moved some conversations off email to out-of-band channels such as LINE, WhatsApp and Microsoft Teams to conduct negotiations and transfer additional tools outside enterprise email controls.

Proofpoint assesses the actor is financially motivated and seeks persistent access for data theft, fraud, resale of access or other profit-driven activity. The security firm also noted the malware includes features that could enable surveillance and could be repurposed or sold to other actors.

Proofpoint wrote, “The actor is likely financially motivated and focused on obtaining remote access to victim environments for financial gain, such as data theft, fraud, access resale, or persistent access.”

Whitewallet Research
Author

Articles by this author

Malware in Pirated PC Games Steals Passwords and Crypto
Malware in Pirated PC Games Steals Passwords and Crypto
jun 8
Armstrong: Energy and Compute, Not Models, Will Cap AI Growth
Armstrong: Energy and Compute, Not Models, Will Cap AI Growth
jun 8
Custodial vs non-custodial wallet
Custodial vs non-custodial wallet
may 30
What is a crypto seed phrase
What is a crypto seed phrase
may 25
Seed phrase vs private key
Seed phrase vs private key
may 21

Latest News

MORE
Adam Back: Bitcoin won’t fire miners; Dashjr readies fork

Adam Back: Bitcoin won’t fire miners; Dashjr readies fork

jun 12 2 min read
Coinbase Lets AI Agents Trade Inside User-Controlled Limits

Coinbase Lets AI Agents Trade Inside User-Controlled Limits

jun 12 2 min read
Hackers Impersonate ChatGPT, Claude and DeepSeek

Hackers Impersonate ChatGPT, Claude and DeepSeek

jun 11 2 min read
Delaware advances bill to ban crypto ATMs after scam surge

Delaware advances bill to ban crypto ATMs after scam surge

jun 11 2 min read
MORE