← Back to SecLog

Proofpoint says TA4922 is targeting European organizations with new Atlas RAT malware and phishing lures

Updated: 2026.06.04 6D ago 3 sources
Threat Actors & APTs Malware Scams & Fraud Social Engineering & Phishing
A Chinese-speaking cybercrime group is using new malware and localized phishing messages to break into organizations in Europe and beyond. Proofpoint says TA4922, linked to activity overlaps with Silver Fox and Void Arachne, has targeted entities in Germany, Italy, the United Kingdom, South Africa, and parts of Southeast Asia since March 2026 using payroll, tax, VAT, invoice, and HR lures sent by email and messaging apps including WhatsApp, LINE, and Microsoft Teams. The campaigns deploy Atlas RAT, RomulusLoader, SilentRunLoader, and Winos4.0/ValleyRAT for remote access, file theft, credential theft, keylogging, screenshots, and webcam or audio capture.
Why it matters: Organizations in the targeted regions should treat this as an active intrusion and phishing threat, especially finance, HR, and compliance teams that may receive convincing local-language messages. Defenders should hunt for the named malware families and remote-management tools, tighten phishing controls, and warn staff to verify unexpected payroll, tax, invoice, or compliance messages across email and chat platforms.

Sources

China-Linked TA4922 Expands Phishing Attacks to UK, Germany, Italy, and South Africa
info@thehackernews.com (The Hacker News) 2026.06.04 96% relevant
This appears to be the same underlying Proofpoint-reported TA4922 campaign, adding that the China-linked actor has expanded phishing targeting to the UK, Germany, Italy, and South Africa and continuing use of Atlas RAT with localized lures.
Chinese Cybercrime Group in Spotlight for Record Campaign Pace
Ionut Arghire 2026.06.04 97% relevant
This article is a direct follow-up on the same TA4922 campaign cluster, adding that Proofpoint now views the actor as operating at the highest campaign tempo in its cybercrime tracking, expanding from Asia into the UK, Germany, Italy, South Africa, and using HR, payroll, invoicing, customer-service, and out-of-band messaging lures with Atlas RAT, RomulusLoader, SilentRunLoader, ValleyRAT, and RMM tools such as AnyDesk and SyncFuture.
Chinese hackers use new Atlas RAT malware in European cyberattacks
Bill Toulas 2026.06.03 100% relevant
This article appears to be the first tracked item establishing Proofpoint's reporting on TA4922's expanded European campaigns and its use of the newly identified Atlas RAT and related loaders.
← Back to all stories