TA4922

Summary

Proofpoint tracks TA4922 as a Chinese-speaking cybercriminal threat cluster that has expanded from mostly East Asia targeting into Europe and Africa. In its June 2026 public profile, Proofpoint assesses the actor as likely financially motivated and distinct from, but overlapping in tradecraft with, reporting on Silver Fox and Void Arachne.

TA4922 uses localized HR, payroll, tax, invoicing, and business-process lures to deliver credential phishing, fraud paths, remote-access tooling, and malware including ValleyRAT / Winos4.0, Atlas RAT, RomulusLoader, and SilentRunLoader.

Tags

• groups
• actors
• cybercrime
• China-speaking ecosystem
• phishing
• credential-theft
• remote-access
• malware
• ValleyRAT
• Winos4.0
• Atlas RAT
• RomulusLoader
• SilentRunLoader
• HR lures
• payroll lures

Why this matters

• TA4922 is a useful defender bucket for localized business-themed phishing that may look like routine HR, payroll, tax, or invoice traffic rather than broad commodity spam.
• The actor blends malware, credential phishing, fraud, remote monitoring and management tools, trusted software, and cloud-hosted payload delivery.
• Proofpoint says TA4922's 2026 campaigns expanded into countries including the United Kingdom, Germany, Italy, and South Africa, so defenders should not treat Chinese-language cybercrime tooling as only a regional East Asia problem.
• Tooling overlap with Silver Fox / Void Arachne does not mean one-to-one attribution; keep Proofpoint's TA4922 cluster separate unless future sources establish stronger aliasing.

Reported activity

2025 baseline

• Proofpoint says it began tracking TA4922 email campaigns in spring 2025.
• The actor historically used malware families including ValleyRAT / Winos4.0 and HoldingHands.
• Proofpoint assesses the actor's goals as remote access for financial gain, such as data theft, fraud, access resale, or persistent access.

March--April 2026 expansion

• Proofpoint reports a sharp increase in TA4922 operational tempo during March and April 2026.
• Observed lures were mostly human-resources and business themed, with campaigns attempting credential phishing, fraud, and malware delivery.
• Proofpoint newly named Atlas RAT and the loader families RomulusLoader and SilentRunLoader in this activity.
• RomulusLoader was reported staging additional tooling, including legitimate remote monitoring and management software such as AnyDesk and SyncFuture.

Atlas RAT campaigns

• On March 6, 2026, Proofpoint observed TA4922 targeting Japanese organizations with HR-themed salary-adjustment messages.
• The emails linked to a GoFile-hosted ZIP named 【給与調整のお知らせ】.zip (Notice of salary adjustment).
• The ZIP contained an executable and malicious DLL; execution installed Atlas RAT through DLL sideloading and configured C2 to 206.238.115.58 over TCP port 886.
• On April 2, 2026, Proofpoint observed a similar Atlas RAT campaign against targets in the United Kingdom and Germany using HR paperwork lures and GoFile-hosted ZIPs such as Paperwork.zip and HR (2).zip.
• That April campaign used a malicious libcef.dll sideloading path and configured Atlas RAT C2 to 154.211.86.110 over TCP port 886.

Defender notes

• Treat localized HR/payroll/tax/invoice messages that move recipients to file-sharing links or messaging apps as higher-risk, especially when followed by ZIP archives and executable/DLL pairs.
• Hunt for DLL-sideloading executions from recently extracted ZIP contents and user-download directories.
• Review outbound TCP connections to unusual ports such as 886 from newly launched user-space processes.
• Monitor for unexpected installation or launch of RMM tools after email-driven file execution.
• Keep detections behavior-focused because Proofpoint describes rapid tooling changes across multiple payload families.

Attribution notes

• Proofpoint describes TA4922 as a newly designated Chinese-speaking threat actor largely targeting East Asia historically, with recent global expansion.
• Proofpoint notes overlap in tooling, infrastructure, and social-engineering themes with Silver Fox and Void Arachne reporting, but tracks TA4922 as a distinct cluster and assesses the activity as more aligned with cybercriminal objectives than espionage.
• The Hacker News summarized Proofpoint's reporting as China-linked; this page keeps the attribution tied to Proofpoint's Chinese-speaking ecosystem language and financially motivated assessment.

Sources

• Proofpoint: https://www.proofpoint.com/us/blog/threat-insight/ta4922-suspected-chinese-crime-group-going-global
• The Hacker News: https://thehackernews.com/2026/06/china-linked-ta4922-expands-phishing.html