Atlas RAT and related loaders deployed for remote access and credential theft
Malware Activity
Summary
Hide ▲
Show ▼
The deployment of Atlas RAT and related loaders is expanding remote access, credential theft, and surveillance-capable malware activity against organizations in Europe and other regions. The tooling adds system reconnaissance, keylogging, screenshot capture, and audio/webcam recording, increasing the risk of persistent compromise and data exfiltration. RomulusLoader can deliver payloads through process hollowing, shellcode injection, and direct execution, while SilentRunLoader steals Chrome credentials, cookies, and browsing data. The activity also uses localized phishing lures and messaging apps to reach victims and deliver payloads more effectively.
Related Happenings
TA4922 expanded European phishing-and-malware campaign
Campaign
First: 04.06.2026 00:45
Last: 04.06.2026 00:45
Sources 1
How related:
“TA4922 currently conducts more unique campaigns than any other tracked cybercrime threat actor in Proofpoint threat data, demonstrating high operational tempo, a variety of lures, and multiple objectives,” Proofpoint says in a report today.
About this happening:
The **TA4922** campaign expanded into **Germany, Italy, the United Kingdom, and South Africa**, pairing localized phishing with malware delivery and increasing the risk of **fraud...
TA4922 expanded European phishing-and-malware campaign
CampaignHow related: “TA4922 currently conducts more unique campaigns than any other tracked cybercrime threat actor in Proofpoint threat data, demonstrating high operational tempo, a variety of lures, and multiple objectives,” Proofpoint says in a report today.
About this happening: The **TA4922** campaign expanded into **Germany, Italy, the United Kingdom, and South Africa**, pairing localized phishing with malware delivery and increasing the risk of **fraud...
Steaelite Windows RAT with FUD and multi-function capabilities
Malware Activity
First: 27.02.2026 12:06
Last: 27.02.2026 12:06
Sources 1
About this happening:
The **Steaelite** Windows RAT is being marketed as a **fully undetectable** tool for **Windows 10 and 11**, giving operators browser-based control over infected machines and enabl...
Steaelite Windows RAT with FUD and multi-function capabilities
Malware ActivityAbout this happening: The **Steaelite** Windows RAT is being marketed as a **fully undetectable** tool for **Windows 10 and 11**, giving operators browser-based control over infected machines and enabl...
BeaverTail malware variant with multi-path delivery and follow-on payloads
Malware Activity
First: 18.12.2025 14:00
Last: 18.12.2025 14:00
Sources 1
About this happening:
A newly observed **BeaverTail** malware variant is stealing wallet data and credentials while loading follow-on payloads, increasing risk for **cryptocurrency traders, developers...
BeaverTail malware variant with multi-path delivery and follow-on payloads
Malware ActivityAbout this happening: A newly observed **BeaverTail** malware variant is stealing wallet data and credentials while loading follow-on payloads, increasing risk for **cryptocurrency traders, developers...
RONINGLOADER multi-stage delivery of modified Gh0st RAT
Malware Activity
First: 17.11.2025 13:20
Last: 17.11.2025 13:20
Sources 1
About this happening:
**RONINGLOADER** is being used to deploy a modified **Gh0st RAT**, creating a multi-stage infection chain that raises the risk of **payload execution** and **defense bypass** on i...
RONINGLOADER multi-stage delivery of modified Gh0st RAT
Malware ActivityAbout this happening: **RONINGLOADER** is being used to deploy a modified **Gh0st RAT**, creating a multi-stage infection chain that raises the risk of **payload execution** and **defense bypass** on i...
Timeline
-
04.06.2026 00:45 2 articles · 1h ago
TA4922 expands into Europe with Atlas RAT and related loaders
Technical Analysis UpdateProofpoint says TA4922 has expanded from East Asia into Germany, Italy, the United Kingdom, and South Africa, using localized phishing lures and previously undocumented malware. The toolkit includes Atlas RAT, RomulusLoader, SilentRunLoader, and Winos4.0/ValleyRAT, enabling remote access, file theft, keylogging, screenshot capture, audio and webcam recording, and browser credential theft, while RomulusLoader delivers payloads through process hollowing, shellcode injection, and direct execution. Proofpoint also published indicators of compromise for the malware and command-and-control infrastructure used in TA4922 activity.
Show sources
- Chinese hackers use new Atlas RAT malware in European cyberattacks — www.bleepingcomputer.com — 04.06.2026 00:45
- Chinese hackers use new Atlas RAT malware in European cyberattacks — www.bleepingcomputer.com — 04.06.2026 00:45