Proofpoint has published threat intelligence on TA4922’s active expansion into Europe and Africa, documenting the group’s first significant UK-targeted phishing campaigns alongside intrusions in Germany, Italy, and South Africa. The group — assessed as a Chinese-speaking financially motivated cybercrime organisation, not a state-sponsored APT — carries the highest campaign velocity of any actor currently tracked by Proofpoint. Two newly documented malware families are driving the European push: SilentRunLoader, a Python-based credential and cookie stealer, and Atlas RAT, a full-featured remote access Trojan with surveillance capabilities including keylogging, screen capture, and webcam recording.
What the Campaign Reveals
Two distinct UK-targeted campaign waves have been documented in the first half of 2026.
Wave 1 — March 30, 2026: Tax authority lures. Emails impersonating tax authority communications — including lures designed to resemble HMRC correspondence — delivered ZIP attachments containing DLL sideloading chains. The payload was SilentRunLoader: a Python-based malware that sweeps the victim system for Google Chrome browser data, extracting saved credentials, session cookies, browsing history, and stored payment data. The timing is deliberate. March sits within the UK tax filing and notification window, and employees primed to expect tax-related correspondence are significantly more susceptible to HMRC-branded outreach. The lure design exploits a real cognitive pattern — not a generalised phishing risk, but a targeted seasonal one.
Wave 2 — April 2026: HR and payroll themes. A second wave used HR and payroll pretexts to deliver ZIP attachments labelled “Paperwork.zip”, this time deploying Atlas RAT — a newly documented remote access Trojan with a notably broad capability set. Atlas RAT provides keylogging, screen capture, webcam recording, file management, and full remote command execution. The surveillance depth — particularly webcam access — goes beyond what credential theft alone requires and suggests TA4922 is either developing dual-purpose tooling for potential resale to other actors, expanding its operational objectives, or both.
Both waves share a consistent delivery mechanic: DLL sideloading via ZIP attachment. A legitimate, signed executable is bundled with a malicious DLL inside the ZIP; when the user extracts and runs the executable, the malicious DLL is loaded alongside it. This approach exploits Windows DLL search order and allows malware to execute under the apparent authority of a trusted binary — a well-established technique for bypassing application allowlisting and reducing detection confidence.
Out-of-band contact via LINE, WhatsApp, and Microsoft Teams is documented ahead of the malicious ZIP delivery. Attackers establish initial rapport through messaging platforms — where corporate security controls are typically absent — before directing targets to open the attachment. This multi-channel social engineering approach increases the perceived legitimacy of the eventual payload delivery.
AI-assisted malware development is noted in Proofpoint’s analysis. Code patterns, commenting conventions, and structural choices in SilentRunLoader’s Python codebase are consistent with LLM-assisted generation. This finding aligns with the group’s operational tempo: AI-assisted development reduces iteration time between campaign waves and allows rapid adaptation of payloads to defeat updated signatures.
Beyond the two headline malware families, TA4922’s wider toolkit includes RomulusLoader — which deploys commercially available remote administration tools (AnyDesk, SyncFuture) as persistent implants, leveraging legitimate and signed binaries for persistence — and ValleyRAT and Winos4.0, both documented in the group’s earlier Asia-Pacific activity.
Why This Matters for Affected Sectors
TA4922 is not a state-sponsored intelligence actor and does not target government entities or critical national infrastructure in the way that China-aligned APT groups do. The threat model is different, and the response posture needs to reflect that.
This is broad-based corporate credential theft deployed against employees across sectors, with financial gain as the primary driver. The attack surface is every organisation whose employees file tax returns, receive payslips, or process HR correspondence — which is to say, every organisation. Sector targeting in the traditional APT sense does not apply. Finance, legal, technology, professional services, and manufacturing employees are all within scope.
The Chrome credential and cookie theft via SilentRunLoader has significant downstream consequences that extend beyond the initial compromise. Harvested session tokens provide authenticated access to corporate email, collaboration platforms (Teams, Slack, Google Workspace), and SaaS applications without requiring re-authentication. For organisations without session-binding controls, hardware token MFA, or aggressive session lifetime policies, a single successful SilentRunLoader infection can translate into sustained access across multiple internal systems — none of which requires the attacker to compromise credentials directly.
Atlas RAT’s surveillance capability — keylogging combined with webcam recording — carries a separate risk category. Even where organisations recover from the initial phishing compromise, persistent Atlas RAT installations with active keylogging could have captured credentials entered after infection, including credentials for systems with no browser-stored data. The webcam recording functionality raises additional concerns around privileged executive communications and sensitive business discussions.
TA4922’s campaign velocity is the operational context that shapes defensive strategy. Proofpoint’s characterisation of this group as running the highest campaign pace of any tracked actor means that static IOC-based defences will consistently lag. By the time a specific lure template or payload hash is operationalised in security tooling, the next wave will have moved on. Behavioural detection — process behaviour, file access patterns, network communication profiles — is the durable control layer here.
Recommended Actions
For email security and gateway teams:
- Apply controls on ZIP attachments containing DLL files alongside executable binaries — the sideloading delivery chain is consistent across documented TA4922 campaigns, not a single-use artefact
- Review filtering for tax authority-themed subject lines, HMRC brand impersonation patterns, and HR/payroll-themed attachment delivery during Q2 lure periods
- Configure scanning for Python-based executables and compiled Python archives (.pyc files, packed executables generated by PyInstaller or similar) in email attachments — SilentRunLoader’s Python provenance may persist across payload versions
For endpoint and SOC teams:
- Hunt for non-browser processes accessing Chrome’s credential databases:
%LOCALAPPDATA%\Google\Chrome\User Data\Default\Login DataandCookiesfiles. SilentRunLoader’s primary payload is Chrome data sweeping — this access pattern is behaviorally distinguishable - Review for unsolicited AnyDesk or RMM tool installations that lack a corresponding IT service desk record — RomulusLoader’s persistence mechanism deploys these as implants, not legitimate remote support tools
- Known Atlas RAT C2 indicator: 206.238.115.58:886 — value as a detection point is limited given infrastructure rotation, but useful for retrospective threat hunting in log data
For HR, finance, and communications functions:
- Brief employees that payroll documents, P60s, and tax notices are not delivered via ZIP attachments requiring extraction and execution. Any communication — from any source — that asks an employee to extract and run a file to access employment or tax documents is a phishing attempt
- Remind staff that initial contact via WhatsApp, Teams, or LinkedIn before a file request is a documented TA4922 social engineering pattern, not a legitimate workflow
For security intelligence teams:
- Request full TA4922 indicators of compromise from Proofpoint’s published research; apply across SIEM, email gateway, and proxy platforms
- Monitor for new lure themes: TA4922’s campaign frequency means UK-targeted variants beyond tax and HR themes are plausible within the current quarter