Find notable cyber news and cases, enriched with sources, timelines, and signals.

Atlas RAT and related loaders deployed for remote access and credential theft

Malware Activity
First reported
Last updated
Happening score
H score 33
3 unique sources, 3 articles

Summary

Hide ▲

TA4922, a China-linked and likely financially motivated malware activity, has expanded beyond East Asia into Europe and Africa. The group uses Atlas RAT, RomulusLoader, SilentRunLoader, and ValleyRAT/Winos 4.0 to gain remote access, steal browser credentials and other data, and support fraud and access resale. Delivery commonly relies on DLL side-loading, localized phishing lures, and staged payloads from consumer file-sharing services, while the actor also pushes targets toward LINE, WhatsApp, and Microsoft Teams to continue social engineering outside email defenses.

Related Happenings

ClickFix payload delivery analysis exposes API-driven generation and Downloads-folder AMSI evasion

Technical Analysis
H score74 First: 01.07.2026 08:32 Last: 01.07.2026 08:32 Sources 1

About this happening: Analysis of ClickFix payload delivery shows operators moving to API-driven servers and a Downloads-folder orchestrator, increasing stealth across live campaigns. The b...

KongTuke ClickFix and Teams access-seeking campaign

Campaign
H score33 First: 25.06.2026 11:54 Last: 25.06.2026 11:54 Sources 1

About this happening: The KongTuke operation is using ClickFix lures and Microsoft Teams messages to widen access-seeking attacks against multiple organizations, increasing the risk of...

Mistic backdoor attack activity targeting enterprise sectors since April

Malware Activity
H score33 First: 24.06.2026 13:41 Last: 24.06.2026 13:41 Sources 1

About this happening: The Mistic backdoor is being used in financially motivated attacks against insurance, education, IT, and professional services organizations, giving operators a stealt...

WhatsApp VBScript infection chain installing ManageEngine RMM Central

Malware Activity
H score20 First: 23.06.2026 08:38 Last: 23.06.2026 08:38 Sources 1

About this happening: VBScript attachments spread through WhatsApp direct messages are now driving a multi-stage Windows infection chain that can end in remote access to victim systems. The...

Gentlemen ransomware EDR-killer tooling

Malware Activity
H score35 First: 19.06.2026 01:31 Last: 19.06.2026 01:31 Sources 1

About this happening: Gentlemen ransomware-as-a-service (RaaS) is actively maintaining a suite of EDR killers led by GentleKiller to disable endpoint defenses before encryption. ESET says t...

Timeline

  1. 04.06.2026 00:45 4 articles · 1mo ago

    TA4922 expands into Europe with Atlas RAT and related loaders

    Technical Analysis Update

    Proofpoint says TA4922 has expanded from East Asia into Germany, Italy, the United Kingdom, and South Africa, using localized phishing lures and previously undocumented malware. The toolkit includes Atlas RAT, RomulusLoader, SilentRunLoader, and Winos4.0/ValleyRAT, enabling remote access, file theft, keylogging, screenshot capture, audio and webcam recording, and browser credential theft, while RomulusLoader delivers payloads through process hollowing, shellcode injection, and direct execution. Proofpoint also published indicators of compromise for the malware and command-and-control infrastructure used in TA4922 activity.

    Show sources