SilentRunLoader
SilentRunLoader is a Python-based loader and information stealer, described in reporting as a compiled Python utility and a newer loader family used by TA4922, a Chinese-speaking and likely financially motivated threat actor. It was first identified in campaigns observed on 2026-03-30 and was used alongside other TA4922 tooling such as RomulusLoader, Atlas RAT, and Winos4.0/ValleyRAT.
Its primary documented capability is theft of Google Chrome data. Reported functionality includes harvesting stored credentials, session cookies, and browsing history or browsing information from Chrome, archiving stolen browser data into a ZIP file, and exfiltrating it to actor-controlled infrastructure. Multiple sources state that SilentRunLoader also downloads or drops an additional executable, including a next-stage payload identified as cg.exe. Proofpoint reported that it was installed via DLL sideloading in at least some campaigns and exfiltrated Chrome data to previously observed command-and-control infrastructure.
SilentRunLoader was deployed in phishing campaigns using localized social engineering lures, especially tax authority-, benefits-, and compliance-themed emails. High-confidence examples include HMRC or fake tax authority lures targeting organizations in the United Kingdom, as well as benefits and compliance-themed campaigns affecting recipients in the U.K. and Southeast Asia. Delivery methods mentioned in the content include DLL sideloading and links redirecting to MediaFire-hosted archives via shortened URLs.
The malware is associated with TA4922 campaigns targeting organizations in the United Kingdom and Southeast Asia, within a broader TA4922 victimology spanning East Asia, Europe, and South Africa. Reporting also notes code artifacts such as placeholder values and the unchanged string "your_secret_key_here," leading researchers to assess with high confidence that TA4922 likely used large language models to help accelerate development of this Python malware.
Known infrastructure and indicators directly tied to SilentRunLoader in the content include ws.ztts88.cyou, the upload path https://ws.ztts88.cyou/upload.php, resolved IP 18.139.83.110, and the payload name cg.exe.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Another alarming component of the group’s toolkit is a compiled Python utility called SilentRunLoader. This stealthy program is designed to gather sensitive browser data from local machines.
Techniques & procedures
14 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniques
Initial Access
In recent months, however, attacks mounted by the hacking group have relied on phishing campaigns using human resources- and business-themed lures for credential phishing, fraud, and malware delivery, including Atlas RAT, RomulusLoader, and SilentRunLoader.
Execution
2 techniques
Execution
Stealth
1 technique
Stealth
Credential Access
2 techniques
Credential Access
Discovery
1 technique
Discovery
Collection
1 technique
Collection
Command and Control
2 techniques
Command and Control
Atlas RAT ... connected to a command-and-control server at 206.238.115.58 over port 886... Network defenders should flag traffic to unusual ports, particularly port 1234, used by RomulusLoader’s C2 infrastructure.
These campaigns delivered credential phishing, fraud, and a newly identified malware called Atlas RAT. New loader families, designated RomulusLoader and SilentRunLoader, were also introduced to stage additional tools. | New loader families, designated RomulusLoader and SilentRunLoader, were also introduced to stage additional tools.
IOCs tracked for this family
22 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A compiled Python malware utility that steals browser data from Google Chrome, including saved credentials, session cookies, and browsing history, archives the data, and uploads it to a remote server. The report suggests it may have been rapidly developed with LLM assistance.
A loader family introduced in TA4922 campaigns to stage additional tools.
SilentRunLoader is a Python-based malware/loader used in phishing campaigns that steals Chrome credentials and exfiltrates them to attacker-controlled infrastructure.
A Python-based loader and stealer that harvests Google Chrome stored credentials, cookies, and browsing information, and is also used for malware delivery and data exfiltration.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.