A Chinese-speaking cybercrime group has shifted its sights to Europe, deploying a newly discovered remote access trojan called Atlas RAT malware alongside several custom-built tools. The campaign is targeting organizations in Germany, Italy, the United Kingdom, and South Africa. This is a sharp departure from the group’s previous focus on East Asia.
Researchers tracking the activity have labeled the group TA4922. While it shares overlaps with threat clusters previously described as “Silver Fox” and “Void Arachne,” analysts consider it a distinct operation driven primarily by financial gain rather than state-sponsored espionage.
A Rapid Expansion West
TA4922’s activity increased sharply starting in March 2026. By April, the group had reached an operational tempo that surpassed every other tracked cybercrime actor in terms of unique campaigns run. The group uses a wide range of phishing lures tailored to its targets. Such as fake payroll notices, tax audit alerts, VAT filings, government compliance documents, HR communications, and invoices.
Contact doesn’t stop at email, either. The group has also reached out to potential victims through WhatsApp, the LINE messaging app, and Microsoft Teams. Lures are localized and convincing, crafted to appear as legitimate correspondence from institutions the target would recognize.
This geographic and tactical expansion reflects a growing confidence. TA4922 is not running a narrow operation — it is running many simultaneously, with multiple objectives and varied delivery mechanisms.
What Atlas RAT Malware Can Do
The headline tool in this campaign is Atlas RAT, a previously undocumented remote access trojan. Once deployed, it gives attackers broad control over a compromised system.
Its capabilities include:
- System reconnaissance
- Targeted file theft
- Keylogging
- Screenshot capture
- Audio and webcam recording
- Plugin and payload downloads
- Remote shutdown and reboot commands
Atlas RAT also includes several anti-analysis features designed to slow down detection. It checks for usernames and registry keys linked to Microsoft Defender Application Guard, scans for the “CExecSvc” service, and inspects OS UUID values — all common indicators of sandbox or analysis environments. If it detects these, it can alter or halt its behavior.
A Growing Malware Arsenal
Atlas RAT is not the only tool TA4922 is using. Researchers identified three additional pieces of malware in this campaign, each serving a different purpose.
RomulusLoader is a newly discovered malware loader that downloads and executes additional payloads. It uses techniques like process hollowing and shellcode injection to do this quietly. In some cases, it was used to deploy legitimate remote management software — including AnyDesk and a Chinese tool called SyncFuture — on systems belonging to German organizations.
SilentRunLoader is a Python-based tool that focuses on data theft. It targets Google Chrome credentials, cookies, and browsing history. This loader was used against organizations in the United Kingdom and Southeast Asia, arriving via phishing lures that impersonated government services.
Winos4.0, also tracked as ValleyRAT, is a previously documented malware family that provides attackers with a full suite of remote access features. Its presence here suggests TA4922 is drawing from both custom-built and established tools depending on the target and objective.
AI May Be Accelerating Development
One of the more striking findings from the Proofpoint analysis is the suggestion that TA4922 may be using large language models to help build its malware. Researchers pointed to placeholder values, code comments, and structural patterns in the code that are commonly associated with AI-generated output.
This does not mean the malware is unsophisticated. But it does suggest that the group is developing tools faster than a traditional development cycle would typically allow. If accurate, this points to a broader trend: threat actors are adopting AI as a productivity tool, compressing the time between identifying a need and deploying a working solution.
Who Is at Risk
TA4922’s targeting is broad. The group has gone after organizations in multiple countries and across multiple sectors, using lures that span payroll, tax, compliance, and HR — functions that exist in virtually every mid-to-large organization.
The malware’s surveillance capabilities add another layer of concern. Beyond financial theft and data exfiltration, the tools could theoretically be repurposed for espionage — or sold to groups with that agenda. Researchers specifically flagged this possibility, noting that the capabilities of Atlas RAT malware extend well beyond what a purely profit-driven operation would typically require.
Final Thoughts
TA4922 represents a meaningful escalation in the Chinese cybercrime threat landscape. The group is prolific, well-resourced, and expanding into new geographies with a diverse and growing toolset. The introduction of Atlas RAT malware marks a notable development — but the broader picture is arguably more concerning than any single tool.
Organizations in Europe and beyond should review their defenses against phishing-based intrusions, audit the use of legitimate remote management tools on their networks, and treat unexpected contact via Teams, WhatsApp, or LINE with appropriate skepticism. The group is moving fast, and its campaigns are designed to look like normal business communication.
