A rapidly evolving threat cluster tracked as TA4922, a Chinese-speaking cybercriminal actor deploying a diverse and expanding malware arsenal that now includes Atlas RAT, RomulusLoader, SilentRunLoader, and ValleyRAT.
The group is notable for its high operational tempo, shifting tactics, and ability to blend custom malware with legitimate tools and cloud services, complicating detection efforts across enterprise environments.
Recent campaigns show a clear increase in both scale and sophistication, with attacks leveraging localized social engineering lures themed around human resources, payroll, taxation, and invoicing.
These lures are carefully adapted to regional language and business norms, increasing their success rate.
Proofpoint assesses that TA4922 is financially motivated, focusing on gaining remote access to victim systems for data theft, credential harvesting, fraud, or access resale.
Unlike traditional cybercriminal groups, TA4922 frequently runs overlapping operations with multiple objectives, combining phishing, malware delivery, and social engineering within the same campaign.
A defining characteristic of TA4922 is its use of multiple malware families within short timeframes. Atlas RAT, one of the primary payloads, is delivered via DLL sideloading through malicious ZIP archives hosted on platforms such as GoFile.
Campaigns mostly target organizations in Japan, with additional targeting in Asia including Taiwan, Korea, Singapore, and India. In recent months, the actor expanded global targeting to include European organizations in the U.K., Germany, Italy, and South Africa.
Campaigns observed in March and April 2026 used HR-themed emails to trick victims into executing files that ultimately connect to command-and-control servers over TCP port 886.
Proofpoint said in a report shared with GBhackers, TA4922 has been active since at least spring 2025, initially targeting organizations across East Asia, particularly Japan, before expanding operations into Europe and Africa in 2026.
The malware provides persistent remote access and supports modular plugin-based functionality.
RomulusLoader represents a newly identified loader family used to stage additional payloads. Delivered through similar social engineering techniques, it uses DLL sideloading and advanced execution methods including process injection and encrypted payload delivery.
Once executed, it establishes persistence, injects into processes such as svchost.exe, and communicates with command-and-control infrastructure to retrieve secondary payloads.
TA4922 Deploys New RAT
Notably, TA4922 uses RomulusLoader to deploy legitimate remote management tools like AnyDesk and SyncFuture, allowing attackers to blend malicious activity with normal administrative traffic.
The URLs led to ZIP files hosted on GoFile with filenames such as “Paperwork.zip” and “HR (2).zip”. They contained an executable with a malicious DLL file, libcef.dll. Execution triggered DLL sideloading and resulted in the deployment of Atlas RAT.
SilentRunLoader, another newly observed payload, is a Python-based loader and stealer designed to harvest sensitive data from Google Chrome.
It exfiltrates credentials, cookies, and browsing data via HTTP POST requests to attacker-controlled infrastructure. Analysis indicates the malware may be partially generated using large language models, as evidenced by placeholder API keys and simplistic code structure.
The SyncFuture campaign targeted organizations in Germany and impersonated the Munich tax authority (Finanzamt München). Messages purported to claim the target was receiving a tax audit.
SilentRunLoader was installed via DLL sideloading and exfiltrated Chrome data to previously observed C2 infrastructure hosted at “ws[.]ztts88[.]cyou” which resolved to IP address 18[.]139[.]83[.]110.
This suggests TA4922 is leveraging automated development techniques to rapidly produce new malware variants.
In addition to malware deployment, TA4922 frequently attempts to move communication خارج traditional email channels. Campaigns often instruct victims to continue conversations via platforms such as LINE, WhatsApp, or Microsoft Teams.
This tactic reduces visibility for email-based security controls and enables more effective social engineering.
The actor shows infrastructure and tooling overlaps with clusters known as Silver Fox or Void Arachne, though Proofpoint tracks TA4922 as a distinct entity.
Its consistent use of Chinese-language artifacts, regional targeting patterns, and infrastructure linked to Chinese providers further supports attribution to a Chinese-speaking ecosystem.
Overall, TA4922 exemplifies a new generation of cybercriminal operations that combine advanced tradecraft with flexible, fast-evolving malware development.
Its ability to rotate payloads, exploit legitimate tools, and scale globally makes it a significant threat to organizations across multiple sectors.
IOCs
| Indicator | Description | First Seen |
| 206.238.115.58 | Atlas RAT C2 | 6 March 2026 |
| a648db354820ea4d02940cb1702b35974513b7aae83f6dffaacaac4ba31f9295 | ZIP archive (【給与調整のお知らせ】.zip) delivering Atlas RAT | 6 March 2026 |
| 584a9448dda46bd590d7a2f86228100d2ae6e0d6d990c1a4459ed5ee28e07ae8 | Atlas RAT DLL (libcef.dll) | 6 March 2026 |
| 154.211.86.110 | Atlas RAT C2 | 2 April 2026 |
| 66a3836b9a17771bce2161f6b73cbc2494a91e49d6aa30d2d53711e8d10de60d | ZIP archive (Paperwork.zip) delivering Atlas RAT | 2 April 2026 |
| 4fcfa88fffacbce30bbe2136753c9ab5a4c092940d2406fd9d44d5118e745b9d | ZIP archive (HR (2).zip) delivering Atlas RAT | 2 April 2026 |
| a75eab31d7ff06b6864960ad7e633be3f9730ff3d3873e4539c8f425fc632dad | Atlas RAT DLL (libcef.dll) | 2 April 2026 |
| 43.156.77.97 | RomulusLoader C2 | 23 March 2026 |
| 40b41979b317406f8abc601677a3b93aaf6ef8ab8ac188b8f383735e388f13b5 | RAR archive (会社文書.rar) delivering RomulusLoader | 23 March 2026 |
| 8c9b6542f73c5c7fe455b52f5101314407da4f65ff48e7ebf6896605e607c8d0 | RomulusLoader DLL (vulkan-1.dll) | 23 March 2026 |
| 3119cf37b8267db8a2dcd11d9a83d5237d7ef1e42388e7c9afa2831b91da8a2d | RomulusLoader component (vulkan-1.bin) | 23 March 2026 |
| https://nwphotoblog[.]com | URL used in RomulusLoader / SyncFuture campaign which hosted a landing page with download button | 16 April 2026 |
| 103.214.172.33 | RomulusLoader First-stage C2 | 16 April 2026 |
| 314f4b59535d1b783e1c20c2be00f9e30f8ed27b2e21fad06a73b47ea43279ef | RomulusLoader / SyncFuture ZIP (Alles in dem schuppen.zip) | 16 April 2026 |
| 2d2a251a88632f010fd9671789746908eeccaa5bc5c0a5d25e4649efe4f5b15d | RomulusLoader / SyncFuture executable (Alles in dem schuppen.exe) | 16 April 2026 |
| 0857148fb0bc4aa7adf967ede2307bdb4fc427065d5b6a6db132688a5a8e1eb8 | RomulusLoader / SyncFuture DLL (teamspeak_control.dll) | 16 April 2026 |
| https://ws.ztts88[.]cyou/file/cg[.]exe | SilentRunLoader download URL | 30 March 2026 |
| https://ws.ztts88[.]cyou/upload[.]php | SilentRunLoader data exfiltration URL | 30 March 2026 |
| e0a6a71c605d9a4076147e9537f82f79f1e1eccadc874595160aa4637ff4088c | SilentRunLoader Executable SHA256 | 30 March 2026 |
| 18[.]139[.]83[.]110 | SilentRunLoader data exfiltration IP | 30 March 2026 |
| de82998ad5fcd63deae030803388e0fb4290d6223fda82368fd25b99b823f0d2 | SilentRunLoader ZIP SHA256 | 10 April 2026 |
| 9d0a55c545c4147956db2c2667c4ed931a2875309147548b1dfdd216228f5f73 | SilentRunLoader Executable SHA256 | 10 April 2026 |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
