TA4922 expanded European phishing-and-malware campaign
Campaign
Summary
Hide ▲
Show ▼
The TA4922 campaign expanded into Germany, Italy, the United Kingdom, and South Africa, pairing localized phishing with malware delivery and increasing the risk of fraud, data theft, and access brokerage. Since March, activity has climbed sharply, and since April it has shown unusually high tempo and operational diversity. The operation uses lures that impersonate payroll notices, tax audits, VAT filings, government compliance notices, invoices, and HR communications. Victims are also approached through WhatsApp, LINE, and Microsoft Teams.
Related Happenings
Atlas RAT and related loaders deployed for remote access and credential theft
Malware Activity
First: 04.06.2026 00:45
Last: 04.06.2026 00:45
Sources 1
How related:
“Proofpoint reports that TA4922 has significantly expanded its malware arsenal and believes the hackers may be using large language models (LLMs) to accelerate malware development.”
About this happening:
The deployment of **Atlas RAT** and related loaders is expanding **remote access**, **credential theft**, and **surveillance-capable** malware activity against organizations in **...
Atlas RAT and related loaders deployed for remote access and credential theft
Malware ActivityHow related: “Proofpoint reports that TA4922 has significantly expanded its malware arsenal and believes the hackers may be using large language models (LLMs) to accelerate malware development.”
About this happening: The deployment of **Atlas RAT** and related loaders is expanding **remote access**, **credential theft**, and **surveillance-capable** malware activity against organizations in **...
GreyVibe AI-assisted cyberespionage campaign targeting Ukraine-linked organizations
Campaign
First: 29.05.2026 01:24
Last: 29.05.2026 01:24
Sources 1
About this happening:
**GreyVibe** is running an **AI-assisted cyberespionage campaign** against **Ukrainian and Ukraine-related organizations**, expanding the threat to military, government, civilian,...
GreyVibe AI-assisted cyberespionage campaign targeting Ukraine-linked organizations
CampaignAbout this happening: **GreyVibe** is running an **AI-assisted cyberespionage campaign** against **Ukrainian and Ukraine-related organizations**, expanding the threat to military, government, civilian,...
Code of conduct-themed Microsoft AiTM phishing campaign
Campaign
First: 05.05.2026 09:35
Last: 05.05.2026 09:35
Sources 1
About this happening:
A **large-scale phishing campaign** used code of conduct-themed lures and **legitimate email services** to push victims to attacker-controlled domains and steal **authentication t...
Code of conduct-themed Microsoft AiTM phishing campaign
CampaignAbout this happening: A **large-scale phishing campaign** used code of conduct-themed lures and **legitimate email services** to push victims to attacker-controlled domains and steal **authentication t...
Tax-season credential phishing and RMM malware campaign
Campaign
First: 30.03.2026 18:00
Last: 30.03.2026 18:00
Sources 1
About this happening:
A **tax-themed** cyber campaign is using **credential phishing**, **remote monitoring and management (RMM) tools**, and **fraud lures** to target people handling **financial data*...
Tax-season credential phishing and RMM malware campaign
CampaignAbout this happening: A **tax-themed** cyber campaign is using **credential phishing**, **remote monitoring and management (RMM) tools**, and **fraud lures** to target people handling **financial data*...
U.S. tax-season phishing and malware-delivery campaign
Campaign
First: 23.03.2026 12:55
Last: 23.03.2026 12:55
Sources 1
About this happening:
The **U.S. tax-season phishing campaigns** are harvesting credentials and delivering malware, putting **individuals**, **accountants**, and other professionals at risk. The lures...
U.S. tax-season phishing and malware-delivery campaign
CampaignAbout this happening: The **U.S. tax-season phishing campaigns** are harvesting credentials and delivering malware, putting **individuals**, **accountants**, and other professionals at risk. The lures...
Timeline
-
04.06.2026 00:45 2 articles · 1h ago
TA4922 expands phishing-and-malware campaigns into Germany, Italy, the United Kingdom, and South Africa
Campaign Scope UpdateTA4922 broadens financially motivated activity into Germany, Italy, the United Kingdom, and South Africa, using localized phishing lures that impersonate payroll notices, tax audits, VAT filings, government compliance notices, invoices, and HR communications. The group also contacts victims through WhatsApp, LINE, and Microsoft Teams, and its toolkit includes Atlas RAT, RomulusLoader, SilentRunLoader, and Winos4.0/ValleyRAT for fraud, data theft, and access brokerage.
Show sources
- Chinese hackers use new Atlas RAT malware in European cyberattacks — www.bleepingcomputer.com — 04.06.2026 00:45
- Chinese hackers use new Atlas RAT malware in European cyberattacks — www.bleepingcomputer.com — 04.06.2026 00:45