A Chinese-speaking cybercrime group tracked as TA4922 has been escalating its activities and expanding to new geographies, according to a recent report from cybersecurity firm Proofpoint. The group, which relies heavily on social engineering, has been continually updating its arsenal, distributing multiple malware families and engaging in credential phishing and fraud schemes such as credit card theft.
While some of TA4922's activities overlap with those of threat actors tracked as Silver Fox and Void Arachne, the group does not appear to engage in espionage, unlike those clusters. Proofpoint states that the campaigns attributed to TA4922 align more closely with cybercriminal objectives despite the actor's advanced tradecraft.
The cybersecurity firm has been tracking TA4922 malicious email campaigns for over a year and believes that its focus is to obtain remote access to victim organizations for data theft, access resale, fraud, and other financially motivated activities. Using HR, payroll tax, and invoicing themes, the hacking group attempts to lure victims into clicking on malicious links to download malicious payloads or unwittingly share their credentials.
Historical Targeting and Recent Expansion
Historically, the cybercrime gang has sent hundreds to a few thousand messages per campaign, tailored to specific regions or business functions, targeting organizations in Japan, Taiwan, Korea, Singapore, and India. Recently, the group also started targeting European organizations in the UK, Germany, and Italy, as well as entities in South Africa. This geographic expansion signals a strategic shift to diversify their victim pool and potentially evade detection by focusing on regions with different cybersecurity postures.
TA4922 was also seen launching credential-phishing and imposter campaigns, looking to shift communication from email to out-of-band channels, including messaging platforms such as LINE, WhatsApp, or Microsoft Teams. Once communication moves to those platforms, the actor is better positioned to extend social engineering, harvest contact information, or deliver malware beyond traditional email security visibility.
Malware Arsenal and Campaign Details
In March, the threat actor used HR lures in campaigns targeting organizations in Japan with the Atlas RAT backdoor and the RomulusLoader malware loader. In April, the group used HR lures and previous infrastructure in Atlas RAT attacks against organizations in the UK and Germany, but switched to customer service communications lures in another campaign. Multiple April campaigns attributed to TA4922 relied on RomulusLoader to install legitimate Remote Monitoring and Management (RMM) tools, including AnyDesk and SyncFuture.
At the end of March, the group targeted UK organizations with the SilentRunLoader Python-based loader and stealer to exfiltrate credentials, cookies, and browsing information from Google Chrome. In April, SilentRunLoader was used in attacks against entities in Southeast Asia and the UK. According to Proofpoint, the cybercrime gang has also been observed using the ValleyRAT (Winos4.0) backdoor and other malware families in attacks.
The consistent innovation in malware delivery methods—from custom loaders to abusing legitimate RMM tools—highlights the group's ability to adapt to defensive measures. For instance, using legitimate software like AnyDesk allows the attackers to blend in with normal network traffic, making detection more challenging for security teams.
Operational Tempo and Threat Landscape
Proofpoint notes that TA4922 currently conducts more unique campaigns than any other tracked cybercrime threat actor in their threat data, demonstrating high operational tempo, a variety of lures, and multiple objectives. While the actor is assessed to be financially motivated, the capabilities of the malware include the potential for surveillance which could be used by or sold to espionage groups.
This record pace of campaigns suggests a well-resourced and organized operation. The group likely operates with multiple sub-teams handling different phases—from lure creation and phishing infrastructure to malware development and data exfiltration. The use of diverse malware families also indicates a modular approach, allowing them to swap tools based on target profiles or operational security requirements.
The targeting of HR and payroll functions is a common tactic among cybercriminal groups, as these departments often have access to sensitive personal and financial information. By impersonating internal communications, the attackers increase the likelihood of success. Furthermore, the shift to out-of-band channels like WhatsApp and Microsoft Teams represents a sophisticated evasion technique, as these platforms may not be monitored by corporate email security solutions.
Organizations in Asia have been the primary targets, but the expansion into Europe and Africa indicates that the group is seeking new opportunities. The UK, Germany, and Italy have robust economies and mature cybersecurity markets, but smaller businesses or subsidiaries may have less stringent defenses. South Africa, with its growing digital economy, is also becoming a more frequent target for cybercriminals globally.
The broader context of Chinese-speaking cybercrime groups often involves a mix of state-aligned and purely criminal actors. While TA4922 appears to be financially motivated, the lines between cybercrime and espionage can blur. For example, malware like Atlas RAT and ValleyRAT provide extensive surveillance capabilities, including keylogging, screen capture, and file theft. Such capabilities could be valuable to nation-state actors, raising concerns about the potential secondary market for stolen data or access.
Proofpoint's analysis emphasizes that while TA4922 is not currently linked to espionage, the group's operational security and toolset are advanced enough to support such activities if needed. This dual-use nature of their malware underscores the challenges faced by defenders in attributing and prioritizing threats.
The detection and mitigation of TA4922 campaigns require a multi-layered approach. Organizations should implement robust email filtering, user education on phishing tactics, and monitoring for unusual outbound communications or remote access tool usage. Additionally, deploying endpoint detection and response (EDR) solutions can help identify the presence of loaders and backdoors before they establish persistence.
As the group continues to refine its lures and expand its geographic footprint, cybersecurity professionals must remain vigilant. The record pace of campaigns observed by Proofpoint is a clear indicator that TA4922 is a significant and growing threat to organizations worldwide.
Source: SecurityWeek News