TA4922 expanded European phishing-and-malware campaign
Campaign
Summary
Hide ▲
Show ▼
TA4922 is a China-linked cybercrime campaign that has expanded from East Asia into Europe and Africa, including the U.K., Germany, Italy, and South Africa. The actor is financially motivated and uses localized tax, payroll, invoice, and HR lures to drive credential theft, fraud, and remote access for access resale. Recent waves have used Atlas RAT, RomulusLoader, SilentRunLoader, and ValleyRAT/Winos 4.0, often delivered through DLL sideloading and staged via consumer file-sharing services. The activity also pushes targets to LINE, WhatsApp, and Microsoft Teams, extending social engineering beyond email and increasing the risk of persistent intrusion and Chrome data theft.
Related Happenings
UNK_MassTraction Roundcube university exploitation campaign
Campaign
H score41
First: 07.07.2026 12:10
Last: 07.07.2026 12:10
Sources 1
About this happening:
The UNK_MassTraction campaign is a China-linked activity targeting Roundcube webmail at U.S. and Canadian universities and related research organizations to steal...
UNK_MassTraction Roundcube university exploitation campaign
CampaignAbout this happening: The UNK_MassTraction campaign is a China-linked activity targeting Roundcube webmail at U.S. and Canadian universities and related research organizations to steal...
KongTuke ClickFix and Teams access-seeking campaign
Campaign
H score33
First: 25.06.2026 11:54
Last: 25.06.2026 11:54
Sources 1
About this happening:
The KongTuke operation is using ClickFix lures and Microsoft Teams messages to widen access-seeking attacks against multiple organizations, increasing the risk of...
KongTuke ClickFix and Teams access-seeking campaign
CampaignAbout this happening: The KongTuke operation is using ClickFix lures and Microsoft Teams messages to widen access-seeking attacks against multiple organizations, increasing the risk of...
WhatsApp VBScript infection chain installing ManageEngine RMM Central
Malware Activity
H score20
First: 23.06.2026 08:38
Last: 23.06.2026 08:38
Sources 1
About this happening:
VBScript attachments spread through WhatsApp direct messages are now driving a multi-stage Windows infection chain that can end in remote access to victim systems. The...
WhatsApp VBScript infection chain installing ManageEngine RMM Central
Malware ActivityAbout this happening: VBScript attachments spread through WhatsApp direct messages are now driving a multi-stage Windows infection chain that can end in remote access to victim systems. The...
Atlas RAT and related loaders deployed for remote access and credential theft
Malware Activity
H score33
First: 04.06.2026 00:45
Last: 04.06.2026 00:45
Sources 1
How related:
These efforts have been complemented by a "rapid operational tempo" and a continually evolving malware arsenal comprising known families like ValleyRAT (aka Winos 4.0) and Atlas RAT (aka AtlasCross RAT), as well as previously undocumented tools called RomulusLoader and SilentRunLoader, according to Proofpoint.
About this happening:
TA4922, a China-linked and likely financially motivated malware activity, has expanded beyond East Asia into Europe and Africa. The group uses Atlas RAT*...
Atlas RAT and related loaders deployed for remote access and credential theft
Malware ActivityHow related: These efforts have been complemented by a "rapid operational tempo" and a continually evolving malware arsenal comprising known families like ValleyRAT (aka Winos 4.0) and Atlas RAT (aka AtlasCross RAT), as well as previously undocumented tools called RomulusLoader and SilentRunLoader, according to Proofpoint.
About this happening: TA4922, a China-linked and likely financially motivated malware activity, has expanded beyond East Asia into Europe and Africa. The group uses Atlas RAT*...
GreyVibe AI-assisted cyberespionage campaign targeting Ukraine-linked organizations
Campaign
H score39
First: 29.05.2026 01:24
Last: 29.05.2026 01:24
Sources 1
About this happening:
GreyVibe is running an AI-assisted cyberespionage campaign against Ukrainian and Ukraine-related organizations, expanding the threat to military, government, civilian,...
GreyVibe AI-assisted cyberespionage campaign targeting Ukraine-linked organizations
CampaignAbout this happening: GreyVibe is running an AI-assisted cyberespionage campaign against Ukrainian and Ukraine-related organizations, expanding the threat to military, government, civilian,...
Timeline
-
04.06.2026 00:45 4 articles · 1mo ago
TA4922 expands phishing-and-malware campaigns into Germany, Italy, the United Kingdom, and South Africa
Campaign Scope UpdateTA4922 broadens financially motivated activity into Germany, Italy, the United Kingdom, and South Africa, using localized phishing lures that impersonate payroll notices, tax audits, VAT filings, government compliance notices, invoices, and HR communications. The group also contacts victims through WhatsApp, LINE, and Microsoft Teams, and its toolkit includes Atlas RAT, RomulusLoader, SilentRunLoader, and Winos4.0/ValleyRAT for fraud, data theft, and access brokerage.
Show sources
- Chinese hackers use new Atlas RAT malware in European cyberattacks — www.bleepingcomputer.com — 04.06.2026 00:45
- Chinese hackers use new Atlas RAT malware in European cyberattacks — www.bleepingcomputer.com — 04.06.2026 00:45
- China-Linked TA4922 Expands Phishing Attacks to UK, Germany, Italy, and South Africa — thehackernews.com — 04.06.2026 15:22
- Chinese-Speaking Actor TA4922 Widens Its Global Reach — www.infosecurity-magazine.com — 04.06.2026 17:00