TA4922

Tactics, Techniques & Procedures (TTPs)

• Phishing via tax authority and HR/payroll lure themes — HMRC-branded and "Paperwork.zip" templates documented in UK campaigns
• ZIP attachment delivery with DLL sideloading — legitimate signed executable bundled with malicious DLL
• SilentRunLoader: Python-based credential stealer targeting Chrome Login Data, Cookies, and browsing history
• Atlas RAT: full-featured RAT with keylogging, screen capture, webcam recording, file management, and remote command execution
• RomulusLoader: deploys AnyDesk and SyncFuture as persistent implants using legitimate signed binaries
• Out-of-band initial contact via LINE, WhatsApp, and Microsoft Teams before malicious attachment delivery
• AI-assisted Python malware development — LLM-generated code patterns observed in SilentRunLoader codebase
• ValleyRAT and Winos4.0 also documented in toolkit

Known Targets

Analyst Notes

Tracked by Proofpoint since spring 2025. Assessed as a Chinese-speaking financially motivated cybercrime group — not a state-sponsored intelligence actor. Carries the highest campaign velocity of any actor currently tracked by Proofpoint. Geographic expansion from Asia-Pacific to UK, Europe, and South Africa documented in early 2026. The two flagship 2026 malware families — SilentRunLoader (Chrome credential/cookie theft) and Atlas RAT (full surveillance RAT) — represent a capability upgrade from earlier toolkit. AI-assisted Python malware development indicates the group is using commercial LLMs to accelerate payload iteration and maintain campaign tempo. Unlike Chinese APT groups, TA4922 is not focused on espionage against government or critical infrastructure — its attack surface is corporate employees across all sectors, and its lure strategy exploits universal trigger events (tax filing, HR/payroll notifications) that affect employees regardless of industry.

Also Known As

MITRE ATT&CK Techniques