ctipilot.ch

TA4922

actor · actor:ta4922

TA4922 — China-nexus financially-motivated cluster; Atlas RAT/RomulusLoader/SilentRunLoader, expands to DE/UK/IT

Coverage timeline
3
first 2026-06-01 → last 2026-06-18
Entries
3
3 distinct days
Sources cited
4
4 hosts
Sections touched
2
active-threats, weekly-long-running
Co-occurring entities
0
no co-occurrence
2026-06-013 appearances2026-06-18

Story timeline

  1. 2026-06-18China arrests 67 members of the Silver Fox (Winos/ValleyRAT) cybercrime network
    active-threatsChina arrests 67 members of the Silver Fox (Winos/ValleyRAT) cybercrime network
  2. 2026-06-05Proofpoint TA4922: a China-nexus cybercrime cluster expands from Japan into Germany, the UK and Italy with native-language lures and DLL-side-loaded Atlas RAT
    active-threatsProofpoint TA4922: a China-nexus cybercrime cluster expands from Japan into Germany, the UK and Italy with native-language lures and DLL-side-loaded Atlas RAT
  3. 2026-06-01TA4922 — China-nexus cybercrime cluster expands from Japan into Germany, UK and Italy with native-language lures and Atlas RAT
    weekly-long-runningTA4922 — China-nexus cybercrime cluster expands from Japan into Germany, UK and Italy with native-language lures and Atlas RAT

Where this entity is cited

  • active-threats2
  • weekly-long-running1

Source distribution

  • bleepingcomputer.com1 (25%)
  • cert.org.cn1 (25%)
  • news.risky.biz1 (25%)
  • thehackernews.com1 (25%)

Entries about TA4922 (3)

2026-06-18 · view entry permalink →

China arrests 67 members of the Silver Fox (Winos/ValleyRAT) cybercrime network

notable threat discovered 2026-06-18 05:10 UTC

Chinese police arrested 67 suspects across five provinces in a June 2026 operation against Silver Fox — also tracked as Void Arachne, UTG-Q-1000 and TA4922 — assessed as one of the most active crimeware operations targeting Chinese-speaking users (Risky Biz News, 2026-06-17). The arrests reportedly span the full criminal supply chain: the primary developer/seller of the Silver Fox (Winos) trojan, a variant developer, phishing-site operators, and fake-app download-site operators, with secondary RATs including ValleyRAT used for credential theft. A CNCERT/CC security alert issued on 2026-05-22 preceded the operation (CNCERT/CC, 2026-05-22).

law-enforcement organized-crime infostealer apac

2026-06-05 · view entry permalink →

Proofpoint TA4922: a China-nexus cybercrime cluster expands from Japan into Germany, the UK and Italy with native-language lures and DLL-side-loaded Atlas RAT

high threat discovered 2026-06-05 05:00 UTC

Proofpoint reports that TA4922, a Chinese-speaking, financially-motivated cluster it assesses as running the highest campaign tempo of any cybercrime actor it tracks, expanded in March–April 2026 from its historical Japanese focus to localised campaigns against UK, German, Italian and South African organisations (The Hacker News, 2026-06-04; BleepingComputer, 2026-06-04). Lures are carefully tailored in the target's native language — tax-authority, HR/payroll and invoice themes — and the toolkit now pairs the known ValleyRAT (Winos 4.0) with newly observed families: Atlas RAT (a C-based RAT) and RomulusLoader, which DLL-side-loads (T1574.002) AnyDesk and SyncFuture, plus SilentRunLoader, a Python infostealer pulling Chrome credentials and cookies (T1555.003). A notable TTP shift is the deliberate move of conversations to LINE, WhatsApp and Microsoft Teams to pull targets off enterprise email controls before payload delivery.

Why it matters to us: German and UK targeting with native-language tax/payroll lures puts DACH public-sector and finance staff squarely in scope. Hunt for DLL side-loading chains where trusted binaries (AnyDesk, SyncFuture) load from unexpected working directories, for Python processes reaching DPAPI / Chrome credential stores, and for unsolicited inbound contact on LINE/WhatsApp/Teams that pivots to a "document" — the out-of-band channel is where the email gateway loses visibility.

organized-crime phishing infostealer china-nexus europe dach uk

2026-06-01 · view entry permalink →

TA4922 — China-nexus cybercrime cluster expands from Japan into Germany, UK and Italy with native-language lures and Atlas RAT

notable synthesis discovered 2026-06-01 05:00 UTC

Proofpoint reported this week that TA4922, a Chinese-speaking financially-motivated cluster running the highest campaign tempo of any cybercrime actor Proofpoint tracks, pivoted in March–April 2026 to localised campaigns against German, UK, Italian and South African organisations (The Hacker News, 2026-06-04; BleepingComputer, 2026-06-04; daily 2026-06-05). Native-language tax-authority, HR/payroll and invoice lures now pair the known ValleyRAT (Winos 4.0) with newly observed Atlas RAT (C-based), RomulusLoader, and SilentRunLoader (Python infostealer targeting Chrome credentials). A notable TTP shift: conversations are moved to LINE, WhatsApp and Microsoft Teams before payload delivery, pulling targets off enterprise email controls. DACH public-sector and finance staff are in direct scope. Hunt for DLL side-loading chains where AnyDesk/SyncFuture load from unexpected user-profile paths, for Python processes reaching Chrome DPAPI, and for unsolicited inbound contact on Teams/WhatsApp that pivots to a "document."

organized-crime phishing infostealer china-nexus europe dach uk