RomulusLoader
RomulusLoader is a malware loader family identified by Proofpoint and used by TA4922, a Chinese-speaking, likely financially motivated threat cluster. It was first observed in late March 2026, including campaigns targeting Japanese organizations with corporate- and human-resources-themed lures, and later in campaigns against organizations in Japan and Germany using business- and tax-themed lures. Delivery observed in the reporting included DLL side-loading and archives hosted on LimeWire. RomulusLoader is described as a unique loader written in C that downloads and executes additional payloads from command-and-control infrastructure. Reported execution techniques include shellcode injection, process hollowing, and direct execution. Supporting technical details in the content state that it side-loads a malicious companion library, maps malware into memory, injects code into legitimate processes such as svchost.exe and dllhost.exe, and can copy files into common system directories including C:\Program Files\Common Files for persistence. Proofpoint also described a custom PE loader, dynamic API resolution via PEB/TEB walking with ROR13 hashing, and RC4-encrypted embedded payloads. TA4922 used RomulusLoader to deploy legitimate remote monitoring and management tools including AnyDesk and SyncFuture, helping activity blend into normal network traffic. The malware has been reported masquerading as legitimate components such as Vulkan Graphics API or AnyDesk-related utilities; filenames mentioned in the reporting include vulkan-1.dll and libcef.dll. Infrastructure and indicators directly associated in the content include C2 IPs 43.156.77.97 over TCP port 1234 and overlapping first-stage infrastructure at 103.214.172.33, as well as SHA-256 hashes a648db354820ea4d02940cb1702b35974513b7aae83f6dffaacaac4ba31f9295, 584a9448dda46bd590d7a2f86228100d2ae6e0d6d990c1a4459ed5ee28e07ae8, 66a3836b9a17771bce2161f6b73cbc2494a91e49d6aa30d2d53711e8d10de60d, 4fcfa88fffacbce30bbe2136753c9ab5a4c092940d2406fd9d44d5118e745b9d, a75eab31d7ff06b6864960ad7e633be3f9730ff3d3873e4539c8f425fc632dad, 40b41979b317406f8abc601677a3b93aaf6ef8ab8ac188b8f383735e388f13b5, 8c9b6542f73c5c7fe455b52f5101314407da4f65ff48e7ebf6896605e607c8d0, 3119cf37b8267db8a2dcd11d9a83d5237d7ef1e42388e7c9afa2831b91da8a2d, 314f4b59535d1b783e1c20c2be00f9e30f8ed27b2e21fad06a73b47ea43279ef, and 2d2a251a88632f010fd9671789746908eeccaa5bc5c0a5d25e4649efe4f5b15d.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
One standout tool in recent TA4922 malware campaigns is RomulusLoader, a unique utility written in C. This program downloads and executes subsequent payloads from command and control servers.
Techniques & procedures
11 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniques
Initial Access
In recent months, however, attacks mounted by the hacking group have relied on phishing campaigns using human resources- and business-themed lures for credential phishing, fraud, and malware delivery, including Atlas RAT, RomulusLoader, and SilentRunLoader.
Execution
1 technique
Execution
Privilege Escalation
2 techniques
Privilege Escalation
Stealth
4 techniques
Stealth
To avoid detection, the loader masquerades as legitimate system components . For instance, analysts found variants mimicking the Vulkan Graphics API or AnyDesk software utilities .
It then injects its code into legitimate host processes like svchost.exe or dllhost.exe .
Command and Control
3 techniques
Command and Control
Atlas RAT ... connected to a command-and-control server at 206.238.115.58 over port 886... Network defenders should flag traffic to unusual ports, particularly port 1234, used by RomulusLoader’s C2 infrastructure.
This program downloads and executes subsequent payloads from command and control servers .
TA4922 might use a remote access Trojan (RAT), like ValleyRAT or Atlas RAT, to access targeted systems, or legitimate remote monitoring and management (RMM) software, like AnyDesk. In the latter case, it'll use a loader called RomulusLoader to bring the RMM onto the host system.
IOCs tracked for this family
22 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A loader written in C that downloads and executes follow-on payloads from C2 servers, masquerades as legitimate components such as Vulkan Graphics API or AnyDesk utilities, side-loads a malicious library, maps malware into memory, persists in system directories, and injects into legitimate processes like svchost.exe or dllhost.exe.
A loader family introduced in TA4922 campaigns to stage additional tools.
RomulusLoader is a loader used to deliver additional payloads and legitimate remote monitoring tools, with execution commonly staged from temporary folders and C2 traffic observed on unusual ports including port 1234.
A C-based loader used in phishing campaigns and later used to deploy additional tools such as AnyDesk and SyncFuture via DLL side-loading.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.