Atlas RAT and related loaders deployed for remote access and credential theft
Malware Activity
Summary
Hide ▲
Show ▼
TA4922, a China-linked and likely financially motivated malware activity, has expanded beyond East Asia into Europe and Africa. The group uses Atlas RAT, RomulusLoader, SilentRunLoader, and ValleyRAT/Winos 4.0 to gain remote access, steal browser credentials and other data, and support fraud and access resale. Delivery commonly relies on DLL side-loading, localized phishing lures, and staged payloads from consumer file-sharing services, while the actor also pushes targets toward LINE, WhatsApp, and Microsoft Teams to continue social engineering outside email defenses.
Related Happenings
ClickFix payload delivery analysis exposes API-driven generation and Downloads-folder AMSI evasion
Technical Analysis
H score74
First: 01.07.2026 08:32
Last: 01.07.2026 08:32
Sources 1
About this happening:
Analysis of ClickFix payload delivery shows operators moving to API-driven servers and a Downloads-folder orchestrator, increasing stealth across live campaigns. The b...
ClickFix payload delivery analysis exposes API-driven generation and Downloads-folder AMSI evasion
Technical AnalysisAbout this happening: Analysis of ClickFix payload delivery shows operators moving to API-driven servers and a Downloads-folder orchestrator, increasing stealth across live campaigns. The b...
KongTuke ClickFix and Teams access-seeking campaign
Campaign
H score33
First: 25.06.2026 11:54
Last: 25.06.2026 11:54
Sources 1
About this happening:
The KongTuke operation is using ClickFix lures and Microsoft Teams messages to widen access-seeking attacks against multiple organizations, increasing the risk of...
KongTuke ClickFix and Teams access-seeking campaign
CampaignAbout this happening: The KongTuke operation is using ClickFix lures and Microsoft Teams messages to widen access-seeking attacks against multiple organizations, increasing the risk of...
Mistic backdoor attack activity targeting enterprise sectors since April
Malware Activity
H score33
First: 24.06.2026 13:41
Last: 24.06.2026 13:41
Sources 1
About this happening:
The Mistic backdoor is being used in financially motivated attacks against insurance, education, IT, and professional services organizations, giving operators a stealt...
Mistic backdoor attack activity targeting enterprise sectors since April
Malware ActivityAbout this happening: The Mistic backdoor is being used in financially motivated attacks against insurance, education, IT, and professional services organizations, giving operators a stealt...
WhatsApp VBScript infection chain installing ManageEngine RMM Central
Malware Activity
H score20
First: 23.06.2026 08:38
Last: 23.06.2026 08:38
Sources 1
About this happening:
VBScript attachments spread through WhatsApp direct messages are now driving a multi-stage Windows infection chain that can end in remote access to victim systems. The...
WhatsApp VBScript infection chain installing ManageEngine RMM Central
Malware ActivityAbout this happening: VBScript attachments spread through WhatsApp direct messages are now driving a multi-stage Windows infection chain that can end in remote access to victim systems. The...
Gentlemen ransomware EDR-killer tooling
Malware Activity
H score35
First: 19.06.2026 01:31
Last: 19.06.2026 01:31
Sources 1
About this happening:
Gentlemen ransomware-as-a-service (RaaS) is actively maintaining a suite of EDR killers led by GentleKiller to disable endpoint defenses before encryption. ESET says t...
Gentlemen ransomware EDR-killer tooling
Malware ActivityAbout this happening: Gentlemen ransomware-as-a-service (RaaS) is actively maintaining a suite of EDR killers led by GentleKiller to disable endpoint defenses before encryption. ESET says t...
Timeline
-
04.06.2026 00:45 4 articles · 1mo ago
TA4922 expands into Europe with Atlas RAT and related loaders
Technical Analysis UpdateProofpoint says TA4922 has expanded from East Asia into Germany, Italy, the United Kingdom, and South Africa, using localized phishing lures and previously undocumented malware. The toolkit includes Atlas RAT, RomulusLoader, SilentRunLoader, and Winos4.0/ValleyRAT, enabling remote access, file theft, keylogging, screenshot capture, audio and webcam recording, and browser credential theft, while RomulusLoader delivers payloads through process hollowing, shellcode injection, and direct execution. Proofpoint also published indicators of compromise for the malware and command-and-control infrastructure used in TA4922 activity.
Show sources
- Chinese hackers use new Atlas RAT malware in European cyberattacks — www.bleepingcomputer.com — 04.06.2026 00:45
- Chinese hackers use new Atlas RAT malware in European cyberattacks — www.bleepingcomputer.com — 04.06.2026 00:45
- China-Linked TA4922 Expands Phishing Attacks to UK, Germany, Italy, and South Africa — thehackernews.com — 04.06.2026 15:22
- Chinese-Speaking Actor TA4922 Widens Its Global Reach — www.infosecurity-magazine.com — 04.06.2026 17:00