A China linked cybercrime group identified as TA4922 has expanded its phishing activity beyond East Asia and is now targeting organizations across the United Kingdom, Germany, Italy, and South Africa, according to new findings released by cybersecurity company Proofpoint. Researchers said the threat actor has increased both the scale and speed of its operations while continuously evolving its malware toolkit to compromise business environments. The group, which has primarily targeted East Asian entities in the past, is now demonstrating broader geographic ambitions through phishing campaigns that combine credential theft, malware delivery, fraud, and unauthorized access techniques aimed at organizations in multiple regions.
Proofpoint, which tracks the activity under the name TA4922, described the threat actor as a Chinese speaking cybercriminal operation believed to overlap to some extent with another threat cluster known as Silver Fox. While the group appears to have technical capabilities often associated with surveillance focused operations, researchers assess its current motivations as largely financial. According to the company, TA4922 is focused on obtaining remote access to victim networks to facilitate activities including data theft, fraudulent operations, resale of compromised access, and long term persistence inside targeted environments. Security analysts noted that the actor conducts a higher volume of unique campaigns than many other threat groups currently monitored, suggesting an aggressive and adaptive approach to cybercrime operations. The malware arsenal linked to the group includes previously known tools such as ValleyRAT, also called Winos 4.0, and Atlas RAT or AtlasCross RAT, alongside newly documented malware families including RomulusLoader and SilentRunLoader. Researchers said these tools have enabled attackers to expand operational capabilities while refining methods used to infiltrate enterprise systems.
Recent campaigns attributed to TA4922 reveal a pattern of phishing attacks disguised as human resources communications, business correspondence, invoices, compliance messages, and tax related notifications. During March 2026, the group reportedly targeted Japanese organizations using human resources themed lures to deliver Atlas RAT through DLL side loading techniques. Later that month, corporate and employment themed messages were used again to spread RomulusLoader, a C language based loader delivered through similar methods. Toward the end of March, organizations in the United Kingdom became targets of phishing emails impersonating tax authorities to deliver SilentRunLoader, a Python based malware capable of stealing sensitive information stored in Google Chrome including saved credentials, cookies, and browsing activity. Researchers observed additional attacks during April that broadened geographic targeting to organizations in Germany and Southeast Asia while continuing to use employment, benefits, invoice, and compliance related lures to trick recipients into opening malicious attachments.
Another important shift observed by Proofpoint involves efforts by attackers to move communications away from traditional email and into alternative messaging platforms such as LINE, WhatsApp, and Microsoft Teams. Security experts believe this tactic is designed to bypass enterprise email protections and increase opportunities for malware deployment or data theft through more trusted communication channels. In several cases observed during April, business and tax themed campaigns targeting Japanese and German organizations reportedly used RomulusLoader to deploy legitimate remote access applications such as AnyDesk and SyncFuture through DLL side loading. Researchers cautioned that although the group currently appears financially motivated, the malware used in these campaigns possesses surveillance capabilities that could potentially support espionage related activity or be sold to other actors. Proofpoint emphasized that the international reach of TA4922 demonstrates how threat groups can quickly scale operations and shift targeting strategies, reinforcing concerns that organizations across different regions and industries remain exposed to increasingly sophisticated phishing and malware threats.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
