A Chinese-speaking cybercrime group, tracked as TA4922, has expanded its operations into Europe, targeting organizations in Germany, Italy, the United Kingdom, and South Africa with new malware and the Atlas remote access trojan (RAT).
According to cybersecurity firm Proofpoint, TA4922 is a financially motivated threat actor focused on network breaches, data theft, fraud, and selling access to compromised systems. The group was previously active in East Asia but has significantly increased its activity since March 2025.
Researchers report that TA4922 now conducts more unique campaigns than any other cybercrime actor tracked by Proofpoint. The threat actor uses localized phishing emails disguised as payroll notices, tax audits, VAT filings, invoices, and government compliance requests. Attackers have also contacted targets via WhatsApp, LINE, and Microsoft Teams.
One of the main tools used in recent attacks is Atlas RAT, a backdoor capable of system reconnaissance, targeted file theft, plugin downloads, keylogging, and screenshot capture. The malware also includes anti-analysis features that check for sandbox environments, specific usernames, registry keys, and system identifiers.
Proofpoint also found a previously undocumented loader called RomulusLoader. The malware delivers additional payloads using process hollowing, shellcode injection, and direct execution techniques. In several cases, RomulusLoader deployed legitimate remote administration tools such as AnyDesk and SyncFuture to maintain access on compromised systems.
Another observed tool, called SilentRunLoader, is a Python-based loader and information stealer targeting Google Chrome data, including saved credentials, cookies, and browsing history. It was used against organizations in the United Kingdom and Southeast Asia through phishing campaigns impersonating government services.
Attackers also used Winos4.0, a known malware family that provides full remote access capabilities and is tracked by Proofpoint as ValleyRAT.
Proofpoint noted that TA4922 may be using large language models (LLMs) to speed up malware development. The assessment is based on placeholder values, code comments, and coding patterns commonly associated with AI-generated software.
While the group appears primarily motivated by financial gain, researchers warned that its malware includes surveillance capabilities that could be used directly for espionage or sold to state-sponsored threat actors.