Find notable cyber news and cases, enriched with sources, timelines, and signals.

TA4922 expanded European phishing-and-malware campaign

Campaign
First reported
Last updated
Happening score
H score 40
3 unique sources, 3 articles

Summary

Hide ▲

TA4922 is a China-linked cybercrime campaign that has expanded from East Asia into Europe and Africa, including the U.K., Germany, Italy, and South Africa. The actor is financially motivated and uses localized tax, payroll, invoice, and HR lures to drive credential theft, fraud, and remote access for access resale. Recent waves have used Atlas RAT, RomulusLoader, SilentRunLoader, and ValleyRAT/Winos 4.0, often delivered through DLL sideloading and staged via consumer file-sharing services. The activity also pushes targets to LINE, WhatsApp, and Microsoft Teams, extending social engineering beyond email and increasing the risk of persistent intrusion and Chrome data theft.

Related Happenings

UNK_MassTraction Roundcube university exploitation campaign

Campaign
H score41 First: 07.07.2026 12:10 Last: 07.07.2026 12:10 Sources 1

About this happening: The UNK_MassTraction campaign is a China-linked activity targeting Roundcube webmail at U.S. and Canadian universities and related research organizations to steal...

KongTuke ClickFix and Teams access-seeking campaign

Campaign
H score33 First: 25.06.2026 11:54 Last: 25.06.2026 11:54 Sources 1

About this happening: The KongTuke operation is using ClickFix lures and Microsoft Teams messages to widen access-seeking attacks against multiple organizations, increasing the risk of...

WhatsApp VBScript infection chain installing ManageEngine RMM Central

Malware Activity
H score20 First: 23.06.2026 08:38 Last: 23.06.2026 08:38 Sources 1

About this happening: VBScript attachments spread through WhatsApp direct messages are now driving a multi-stage Windows infection chain that can end in remote access to victim systems. The...

Atlas RAT and related loaders deployed for remote access and credential theft

Malware Activity
H score33 First: 04.06.2026 00:45 Last: 04.06.2026 00:45 Sources 1

How related: These efforts have been complemented by a "rapid operational tempo" and a continually evolving malware arsenal comprising known families like ValleyRAT (aka Winos 4.0) and Atlas RAT (aka AtlasCross RAT), as well as previously undocumented tools called RomulusLoader and SilentRunLoader, according to Proofpoint.

About this happening: TA4922, a China-linked and likely financially motivated malware activity, has expanded beyond East Asia into Europe and Africa. The group uses Atlas RAT*...

GreyVibe AI-assisted cyberespionage campaign targeting Ukraine-linked organizations

Campaign
H score39 First: 29.05.2026 01:24 Last: 29.05.2026 01:24 Sources 1

About this happening: GreyVibe is running an AI-assisted cyberespionage campaign against Ukrainian and Ukraine-related organizations, expanding the threat to military, government, civilian,...

Timeline

  1. 04.06.2026 00:45 4 articles · 1mo ago

    TA4922 expands phishing-and-malware campaigns into Germany, Italy, the United Kingdom, and South Africa

    Campaign Scope Update

    TA4922 broadens financially motivated activity into Germany, Italy, the United Kingdom, and South Africa, using localized phishing lures that impersonate payroll notices, tax audits, VAT filings, government compliance notices, invoices, and HR communications. The group also contacts victims through WhatsApp, LINE, and Microsoft Teams, and its toolkit includes Atlas RAT, RomulusLoader, SilentRunLoader, and Winos4.0/ValleyRAT for fraud, data theft, and access brokerage.

    Show sources