TA4922 Expands Malware Campaigns With Atlas RAT, RomulusLoader, SilentRunLoader, and ValleyRAT

Proofpoint has warned that TA4922, a suspected Chinese-speaking cybercrime group, is expanding beyond its earlier East Asia focus and running localized malware campaigns against organizations in Japan, the United Kingdom, Germany, Italy, South Africa, and parts of Southeast Asia.

The group is deploying a growing toolset that includes Atlas RAT, RomulusLoader, SilentRunLoader, and ValleyRAT, also known as Winos4.0. In a new Proofpoint report, researchers said TA4922 is financially motivated and appears focused on remote access, data theft, fraud, access resale, and long-term footholds inside victim environments.

The activity matters because TA4922 does not rely on one simple phishing pattern. It changes lures, payloads, hosting services, and follow-up tools quickly. Recent campaigns used HR, payroll, tax, benefits, invoicing, and compliance themes written for local audiences.

TA4922 broadens its targeting

Proofpoint began tracking TA4922-linked email campaigns in spring 2025. The group most often targeted Japan and other Asian countries, including Taiwan, India, Malaysia, Singapore, and Indonesia. By early 2026, it had expanded into Europe and South Africa.

BleepingComputer reported that TA4922’s recent activity focused on entities in Germany, Italy, the United Kingdom, and South Africa while continuing to use business-themed phishing to deliver malware. The campaigns were not generic spam. They used local language, local business processes, and familiar administrative subjects.

Proofpoint assesses that TA4922 is likely based in East Asia and Chinese-speaking. The company said the actor overlaps with activity publicly described as Silver Fox or Void Arachne, but it tracks TA4922 as a separate cluster because its campaigns align more closely with cybercrime than espionage.

Category	Details
Tracked name	TA4922
Likely motivation	Financial gain, including fraud, data theft, access resale, and persistent access
Primary regions observed	Japan, Taiwan, India, Malaysia, Singapore, Indonesia, United Kingdom, Germany, Italy, and South Africa
Common lure themes	HR, salary notices, payroll, tax audits, VAT filings, invoices, benefits, and compliance
Malware and tools	Atlas RAT, RomulusLoader, SilentRunLoader, ValleyRAT, AnyDesk, and SyncFuture

How the campaigns work

TA4922 often starts with an email that looks like routine business communication. One March 2026 campaign targeted Japanese organizations with HR-themed messages about salary adjustments. The emails linked to a GoFile-hosted ZIP archive that delivered Atlas RAT through DLL sideloading.

In April, the group used HR-themed emails against targets in the United Kingdom and Germany. The files used names such as Paperwork.zip and HR (2).zip. A separate Japanese campaign used an invoice-themed lure and a compressed IMG attachment to trigger the same Atlas RAT delivery chain.

Hackread reported that UK-focused activity used tax and benefits themes, including references to VAT filings, payroll tax documents, and compliance requirements. Those lures led users to hosted payloads that installed SilentRunLoader, a Python-based stealer and loader.

Atlas RAT gives attackers full remote access

Atlas RAT is one of the most important tools in TA4922’s recent activity. It is a multi-stage backdoor that can gather system information, upload files, download additional plugins, record audio and webcam video, start a keylogger, capture clipboard data, take screenshots, and shut down or reboot the system.

The malware uses anti-analysis checks before it runs fully. It can look for signs of Microsoft Defender Application Guard, containerized environments, virtual machines, and other sandbox indicators. If those checks suggest analysis, the malware can terminate instead of exposing its full behavior.

The Proofpoint analysis said Atlas RAT communicates with its command-and-control server using encrypted traffic and can download further modules on demand. That makes it more than a simple first-stage payload. It gives the operator options after the initial compromise.

RomulusLoader and SilentRunLoader show fast tool development

RomulusLoader is a new loader family named by Proofpoint. It is written in C and designed to download and execute additional payloads from attacker infrastructure. Proofpoint observed it inside ZIP archives that contained legitimate executables and malicious DLLs related to the Vulkan graphics API.

In late March 2026, TA4922 used RomulusLoader against Japanese organizations through LimeWire-hosted files. In mid-April, the group used it to install legitimate remote monitoring and management tools, including AnyDesk and SyncFuture. That tactic can help attackers blend into enterprise networks because remote management tools also have valid business uses.

SilentRunLoader plays a different role. It is a compiled Python stealer and loader that collects Google Chrome data, including stored credentials, cookies, and browsing information. Researchers found placeholder values in the code, including a value that looked like a generic API key placeholder, which led Proofpoint to assess with high confidence that TA4922 likely uses large language model tools to help build Python malware faster.

Tool	Role in TA4922 activity	Notable capability
Atlas RAT	Remote access trojan	Keylogging, screenshots, webcam and microphone access, file theft, and plugin loading
RomulusLoader	Loader	Downloads and executes payloads, supports injection and process hollowing
SilentRunLoader	Python stealer and loader	Steals Chrome credentials, cookies, and browsing data
ValleyRAT	Remote access trojan based on Winos4.0	Remote shell, file management, webcam and microphone control, keylogging, and module downloads
AnyDesk and SyncFuture	Legitimate RMM tools abused after compromise	Remote control that can appear less suspicious in some environments

ValleyRAT remains part of the wider toolkit

ValleyRAT is not new, but it remains relevant because TA4922 has used variants of Winos4.0, which Proofpoint tracks as ValleyRAT. A Zscaler technical analysis previously described ValleyRAT as a multi-stage remote access trojan that gives attackers control over infected machines and can download more components.

Proofpoint said the newer Winos4.0 variant it observed had a much larger codebase than other samples it had reviewed. The configuration was also encrypted in the binary using RC4, which can make analysis and detection harder.

That mix of older malware families and new custom loaders makes TA4922 harder to defend against. Security teams may catch one payload family while missing another campaign that uses a different lure, hosting provider, or execution chain.

Why defenders should watch social engineering outside email

TA4922 does not always keep the attack inside email. Proofpoint has also seen campaigns that try to move victims to messaging services such as LINE, WhatsApp, and Microsoft Teams. That matters because employees often treat messages in collaboration tools as more personal or more urgent than email.

The group also uses trusted hosting and file-sharing services, including GoFile, LimeWire, and MediaFire, to distribute payloads. This makes blocking harder because the services themselves may also support legitimate business use.

Hackread noted that the group’s lures are built around ordinary administrative workflows. Tax filings, payroll notices, salary documents, benefits forms, and compliance messages all create pressure to act quickly without asking too many questions.

• Train users to verify unexpected HR, payroll, tax, invoice, and benefits requests through a separate trusted channel.
• Block or inspect archives downloaded from file-sharing sites when they contain executables, DLLs, IMG files, or scripts.
• Review outbound traffic to unusual ports, including non-standard ports used by malware command-and-control servers.
• Monitor for DLL sideloading from temporary folders and user-writable directories.
• Restrict unauthorized remote monitoring tools and alert when AnyDesk-like tools appear on unmanaged endpoints.
• Limit local admin rights to reduce the damage after initial execution.

Recommended defenses against TA4922

Proofpoint recommends application allowlisting in trusted directories, monitoring or blocking execution from temporary user paths such as %TEMP% and %APPDATA%, watching for executable files written to root directories such as C:\, and enforcing least privilege across endpoints.

Network teams should also flag traffic to non-standard ports from processes that do not normally need those connections. RomulusLoader activity observed by Proofpoint included communication over TCP port 1234, while Atlas RAT campaigns used port 886 in the reported cases.

BleepingComputer also highlighted the surveillance potential of the malware used by TA4922, even though the group’s current activity appears financially motivated. That creates an extra risk for organizations with sensitive data, regulated business processes, or valuable network access.

What makes TA4922 stand out

TA4922 stands out because of its speed and variety. It does not rely on a single malware family or one region. Instead, it rotates themes, payloads, and delivery methods while keeping the social engineering closely tied to local business routines.

Older malware ecosystems also feed into the group’s activity. Zscaler’s ValleyRAT research showed how related malware can use multi-stage execution, DLL sideloading, and process injection to stay stealthy. TA4922 now pairs similar techniques with newer tooling and localized phishing.

For defenders, the key takeaway is that TA4922 should not be treated as a narrow regional threat. Its campaigns show how financially motivated actors can move quickly from one market to another, reuse proven lures, and add new malware at a pace that challenges static detection rules.

FAQ