Atlas RAT
Atlas RAT is a recently identified modular remote access trojan/backdoor used by TA4922, a Chinese-speaking and likely financially motivated threat actor. It has been deployed in phishing-driven campaigns observed in March and April 2026, including HR-, business-, and invoice-themed lures targeting organizations in Japan, the United Kingdom, Germany, and other regions. Delivery observed in the reporting relied on DLL sideloading from archive files hosted on services such as GoFile, including campaigns using malicious DLLs such as libcef.dll. Atlas RAT is described as a multi-stage, full-featured backdoor in which a final core module and auxiliary plugins are downloaded from command-and-control infrastructure.
Reported capabilities include system reconnaissance and harvesting of broad system specifications, arbitrary command execution, targeted file theft and file upload, plugin and payload download, keylogging, screenshot capture, clipboard theft, audio recording, webcam/video capture, and system shutdown or reboot commands. The malware also performs anti-sandbox and anti-analysis checks, including checks for WDAGUtilityAccount, CExecSvc, the DNS suffix mshome, the vmsmb device, Windows activation indicators, and the WDAG RunOnce registry key before enabling functionality. One report states it uses direct syscalls via SysWhispers to load shellcode and retrieve its core module, and another states it uses ChaCha encryption for command-and-control communications.
Atlas RAT has been associated primarily with TA4922, though other reporting cited in the content notes overlap with Silver Fox and refers to Atlas RAT as also known as AtlasCross RAT. Observed command-and-control infrastructure for Atlas RAT campaigns includes 206.238.115.58 over TCP port 886 and 154.211.86.110 over TCP port 886. High-confidence filenames and artifacts mentioned in the content include libcef.dll and campaign archive names such as "【給与調整のお知らせ】.zip," "Paperwork.zip," "HR (2).zip," and "電子請求書発行のお知らせ.zip."
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
For high-value targets, the threat group deploys Atlas RAT, a full-featured modular backdoor trojan. This advanced payload can harvest broad system specifications and execute arbitrary commands.
TA4922 might use a remote access Trojan (RAT), like ValleyRAT or Atlas RAT, to access targeted systems.
Techniques & procedures
23 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniques
Initial Access
The attacker relied primarily on human resources and business-themed lures to target victims. These campaigns delivered credential phishing, fraud, and a newly identified malware called Atlas RAT.
Execution
2 techniques
Execution
Privilege Escalation
1 technique
Privilege Escalation
Stealth
4 techniques
Stealth
RomulusLoader starts one or more “workers”, which are effectively copies of its code that are injected into other processes (such as svchost.exe and dllhost.exe).
The target receives a legitimate executable file and a malicious DLL (the Atlas RAT loader) that is sideloaded into the executable’s process.
Before activating these features, the backdoor runs several complex environmental checks . It verifies whether the host environment belongs to an automated analysis sandbox . Specifically, it checks for built-in sandbox names like WDAGUtilityAccount or virtualization flags like mshome . If the environment appears unsafe, the malware instantly terminates its execution to evade signature generation .
Credential Access
1 technique
Credential Access
Discovery
5 techniques
Discovery
This advanced payload can harvest broad system specifications and execute arbitrary commands .
Atlas RAT is a fully featured backdoor with capabilities including keylogging, screen capture, webcam recording, file management, and remote command execution.
The malware also checks for a camera as well as the audio (recording and output) devices on the endpoint and sends this data to the C2.
Before activating these features, the backdoor runs several complex environmental checks . It verifies whether the host environment belongs to an automated analysis sandbox . Specifically, it checks for built-in sandbox names like WDAGUtilityAccount or virtualization flags like mshome . If the environment appears unsafe, the malware instantly terminates its execution to evade signature generation .
Collection
6 techniques
Collection
Proofpoint’s report highlights Atlas RAT, a recently identified remote access trojan that offers attackers the following capabilities: ... Targeted file theft
For example, the tool can record surrounding audio, capture webcam feeds, log keystrokes, and steal clipboard data .
Atlas RAT is a fully featured backdoor with capabilities including keylogging, screen capture, webcam recording, file management, and remote command execution.
For example, the tool can record surrounding audio, capture webcam feeds, log keystrokes, and steal clipboard data .
Command and Control
3 techniques
Command and Control
Atlas RAT ... connected to a command-and-control server at 206.238.115.58 over port 886... Network defenders should flag traffic to unusual ports, particularly port 1234, used by RomulusLoader’s C2 infrastructure.
These campaigns delivered credential phishing, fraud, and a newly identified malware called Atlas RAT. New loader families, designated RomulusLoader and SilentRunLoader, were also introduced to stage additional tools.
TA4922 might use a remote access Trojan (RAT), like ValleyRAT or Atlas RAT, to access targeted systems, or legitimate remote monitoring and management (RMM) software, like AnyDesk. In the latter case, it'll use a loader called RomulusLoader to bring the RMM onto the host system.
Exfiltration
1 technique
Exfiltration
IOCs tracked for this family
22 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A modular remote access trojan/backdoor used for surveillance and control. It can collect system information, execute arbitrary commands, record audio, capture webcam feeds, log keystrokes, steal clipboard data, and perform sandbox and virtualization checks before activating.
A newly identified remote access trojan used in TA4922 campaigns alongside credential phishing and fraud activity.
Atlas RAT is a fully featured backdoor with capabilities including keylogging, screen capture, webcam recording, file management, and remote command execution.
A remote access trojan delivered via phishing and DLL side-loading to obtain remote access to victim environments.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.