Chinese APT RAT malware phishing TA4922 cybercrime

Meet Atlas RAT: The Chinese Cybercrime Group Now Targeting Europe

4 June 2026

A Chinese-speaking cybercrime group known as TA4922 has expanded its operations into Europe, targeting organisations in Germany, Italy, the UK, and South Africa using newly documented malware including the Atlas RAT backdoor. The group employs localised phishing lures mimicking payroll notices, tax filings, and government communications, and has dramatically increased its activity since March 2026, conducting more unique campaigns than any other tracked cybercrime actor. Researchers at Proofpoint note that the malware's surveillance capabilities — including keylogging, screen capture, and webcam recording — could potentially be sold to or leveraged by espionage groups.

A Chinese-speaking cybercrime group has quietly pivoted westward, running phishing campaigns against organisations in Germany, Italy, the UK, and South Africa. Proofpoint tracks the group as TA4922, and their recent activity levels are, frankly, alarming.

The outfit has historically focused on East Asia, but since March this year the tempo has increased sharply. By April, Proofpoint was describing the group's operational pace as unprecedented. According to their latest report, TA4922 is currently running more distinct campaigns than any other financially motivated threat actor in Proofpoint's dataset. That's not a footnote — that's a red flag.

TA4922 overlaps with activity previously attributed to 'Silver Fox' and 'Void Arachne', though Proofpoint tracks it separately on the basis that the motivation looks financial rather than state-directed espionage. The important caveat: the malware they're deploying has surveillance capabilities that could easily be sold on to groups with rather different priorities.

The phishing lures are well-localised. Victims receive what appear to be payroll notices, VAT filings, tax audits, HR communications, and government compliance documents — all tailored to the target country. The group also reaches out via WhatsApp, LINE, and Microsoft Teams, which suggests they're not shy about casting wide nets across multiple channels.

Atlas RAT: new and fairly capable

The headline discovery is Atlas RAT, a previously undocumented remote access trojan. It does what you'd expect from a modern RAT — system reconnaissance, file theft, keylogging, screenshots, audio and webcam recording, plugin downloads, and remote shutdown or reboot commands. Nothing conceptually novel, but the implementation is new and it's actively being deployed.

Atlas RAT includes anti-sandbox and anti-analysis checks, scanning for usernames and registry keys tied to Microsoft Defender Application Guard, the CExecSvc service, and OS UUID values commonly associated with analysis environments. Standard tradecraft, but competently done.

Proofpoint also found a new loader called RomulusLoader, which delivers additional payloads via process hollowing, shellcode injection, or direct execution. It's been used to drop legitimate remote management tools including AnyDesk and SyncFuture — the latter being a remote monitoring tool popular in China, which makes its appearance in attacks against German targets a somewhat brazen choice.

Rounding out the toolkit is SilentRunLoader, a Python-based loader and infostealer that hoovers up credentials, cookies, and browsing data from Google Chrome. This one was deployed against UK and Southeast Asian targets using lures impersonating government services. And then there's Winos4.0 — previously documented, tracked by Proofpoint as ValleyRAT — which provides a full remote access suite.

AI-assisted malware development?

Proofpoint raises the possibility that TA4922 is using large language models to accelerate malware development. The evidence is circumstantial but not unreasonable — placeholder values, code comments, and structural patterns consistent with AI-generated output. Whether that's actually the case or just tidy coding habits is hard to say definitively, but the speed at which this group is expanding its toolkit does suggest some kind of accelerant.

The full Proofpoint report includes indicators of compromise and C2 infrastructure details for defenders who need them.