TA4922

TA4922 is a Chinese-speaking, likely East Asia-based threat actor tracked by Proofpoint since spring 2025 and assessed as primarily financially motivated. Proofpoint describes the group as a cybercrime operation rather than an espionage actor, although it notes overlap in tooling, infrastructure, and social engineering with Silver Fox and Void Arachne, and some malware capabilities could support surveillance. TA4922’s objectives are reported as obtaining remote access for monetization, including fraud, data theft, access brokering or resale, and persistence. TA4922 historically targeted organizations in East Asia, especially Japan, and has also targeted Taiwan, South Korea, Singapore, Malaysia, Indonesia, India, and Italy. By early 2026 it expanded targeting into Europe and Africa, including the United Kingdom, Germany, Italy, and South Africa. Proofpoint reported that the actor maintains a very high operational tempo and conducts more unique campaigns than any other cybercrime actor in its tracking. The actor relies heavily on localized phishing and impersonation. Observed lures include tax authority, payroll, HR, salary adjustment, benefits, compliance, invoice, and general business themes, often written in local languages and dialects. TA4922 also attempts to move victims from email to out-of-band platforms including LINE, WhatsApp, and Microsoft Teams to continue social engineering, harvest contact information, and deliver malware outside normal email security visibility. Proofpoint also observed tax-themed campaigns in which TA4922 impersonated national tax authorities, requested phone numbers, and then escalated contact by impersonating finance leadership. TA4922 uses diverse delivery and execution chains, including malicious links, archive attachments, cloud-hosted files, shortened URLs, direct executables, credential-phishing pages, DLL sideloading, and abuse of legitimate remote monitoring and management tools such as AnyDesk and SyncFuture. The group has used sender infrastructure at scale, including thousands of disposable sender addresses, often via Outlook, Hotmail, and Gmail accounts. Malware associated with TA4922 includes ValleyRAT/Winos4.0, Atlas RAT, RomulusLoader, and SilentRunLoader. ValleyRAT is described as part of the Winos4.0 ecosystem and provides full remote access functionality; Proofpoint also observed a heavily modified Winos4.0 variant in early 2026. Atlas RAT is a modular backdoor used against higher-value targets with capabilities including system reconnaissance, arbitrary command execution, file upload and management, plugin and payload loading, keylogging, screenshot capture, clipboard theft, audio recording, webcam capture, and system shutdown or reboot. Atlas RAT also performs anti-sandbox and anti-analysis checks. RomulusLoader is a C-based loader used to download and execute follow-on payloads and to deploy legitimate RMM software. Reported behaviors include masquerading as legitimate components such as Vulkan Graphics API or AnyDesk utilities, DLL sideloading, persistence via common system directories, shellcode execution, process injection into legitimate processes such as svchost.exe and dllhost.exe, process hollowing, and download-and-execute functionality. SilentRunLoader is a compiled Python-based loader and stealer focused on Google Chrome data theft. It harvests stored credentials, cookies, and browsing history, archives the data, and uploads it to actor-controlled infrastructure. Proofpoint assessed with high confidence that TA4922 likely uses large language models to accelerate development of some newer Python malware, citing placeholder values and coding artifacts in SilentRunLoader. Known aliases and related names mentioned in reporting include ValleyRAT/Winos4.0, Atlas RAT/AtlasCross RAT, and ecosystem overlap with Silver Fox and Void Arachne. Proofpoint tracks TA4922 as a distinct threat cluster.