TA4922 Chinese cyber-criminals have increased their malicious activities through evolving hacking strategies with use of malware attacks. There have been various scams with use of social engineering and technical software aimed at financial gains. This has been witnessed from the year 2025 to date. Their attacks are no longer limited to East Asia but to other continents as well.
Global Expansion: East Asia to Europe and Africa
Originally focused on Japan and nearby markets, TA4922’s geographic targeting has widened dramatically. In 2026 the group routinely hit organizations in Europe and even Africa. These regions match the localized “lure themes” the group uses (HR, payroll, tax forms, invoices) each email is written in the victim’s language and context to avoid suspicion.
These campaigns are often small to medium in size and tailored to specific business sectors. Recent assaults in Germany impersonated Munich tax officials, while UK-focused emails posed as HMRC tax filings or benefit notices. By aligning with normal corporate processes, TA4922 significantly improves the chance that employees will open attachments or click links. The group even shifts victims to messaging apps like LINE, WhatsApp or Teams for “out-of-band” chats a ploy that evades typical email filters and deepens the social engineering before dropping malware.
Advanced Malware Arsenal: Atlas RAT, Loaders, Stealers
TA4922 has greatly expanded its toolkit. In early 2026 it was identified that several new custom malware families as well as variants of older Chinese tools. Key payloads include:
- Atlas RAT: A fully-featured remote-access Trojan. It runs in multiple stages and supports plugins. Once installed via DLL sideloading, Atlas RAT can perform reconnaissance, exfiltrate files, download more malware, log keystrokes, capture screenshots/audio/video, and even reboot or shutdown the system. Its loader contains multiple anti-sandbox checks and uses encrypted shellcode routines, making it stealthy.
- RomulusLoader: A custom loader written in C that stages additional payloads. It’s delivered by tricking victims into running a legitimate executable alongside a malicious DLL. RomulusLoader then downloads further tools by injecting into other processes. In the recent campaigns, RomulusLoader was used specifically to drop legitimate remote-management software (AnyDesk or the Chinese SyncFuture RMM) onto victim systems. This allows the attacker to “hide in plain sight,” since these RMM tools are normally used for IT support.
- SilentRunLoader: A new Python-based stealer/loader. It arrives via links to MediaFire-hosted executables. When run, it silently downloads a secondary payload, then grabs stored Google Chrome data and sends it to attacker servers. It also has anti-detection tactics. Remarkably, code evidence suggests the authors may have used AI tools (LLMs) to build SilentRunLoader quickly.
- ValleyRAT (Winos4.0): An older Chinese RAT that TA4922 has reused. It provides basic remote control and data theft. TA4922 combines both new tools and these legacy RATs, giving them a diverse arsenal.
All of these instruments enable TA4922 to meet several purposes throughout different campaigns. In fact, one single message may first steal corporate login information, after which the malicious organization will drop Atlas RAT to gain access and run a stealer like SilentRunLoader to steal the stolen information from infected machines.
Localized Social Engineering Lures
A core part of TA4922’s success is its highly contextual social engineering. Every lure is localized to the victim’s country and corporate function. Common themes include:
- Human Resources/Payroll (Salary adjustments, benefit enrollment, staff changes).
- Accounting/Tax (Tax audit notifications, VAT filings, invoice statements).
- Corporate Policies/Compliance (Regulatory updates, security audits, universal benefit claims).
- Fraud and Benefits (Pension or benefits notifications with malicious attachments).
The phishing emails are designed to appear like a genuine company correspondence and often include company logos or lingo. One such April 2026 attack on a German business included an email relating to a “payroll adjustment,” urging users to download an enclosed zip file. The message seemed authentic, but within the zip file was an executable file containing the malicious DLL for the delivery of Atlas RAT.
TA4922 makes use of familiar procedures rather than falling back on generic “spray-and-pray.” Messages are specifically worded to reflect business practices and often translated into local lingo.
This method improves click-through rates, and more often than not, after gaining entry through email communication, TA4922 will then persuade the victim to move communication into encrypted chat rooms in order to evade detection through email scanning systems.
Legitimate Tools and Infrastructure Abuse
Furthermore, TA4922 utilizes a very smart combination of malicious code with the help of legal applications and services in order to remain undetected. For the first phase of infection, TA4922 utilizes the services of various file hosting services. The emails from the group often come with links to GoFile, LimeWire, MediaFire, as well as many other cloud-based hosts. In this case, people are invited to download some archives using one of those legal resources.
Next, once users launch archives, TA4922 exploits extensively the feature known as DLL sideloading. Thus, when distributing a certain program, hackers provide both valid executables and malicious DLL files that have the same names as their counterparts.
Apart from the process of delivering malicious files, TA4922 also exploits legal software after compromising a system. This behavior can be demonstrated by RomulusLoader campaigns since the hackers install remote management software, such as AnyDesk or SyncFuture (another Chinese RMM software) under the pretense of authentic software for administration.
Moreover, TA4922 uses various fraudulent login portals as another method of attack. During an attack on German users, hackers provided a fraudulent tax authority portal, inviting victims to click the “Download report” button. To make the action even more convincing, the site used CAPTCHAs and registrations.
AI-Assisted Malware Development
However, one of the latest trends in TA4922’s arsenal is the use of LLMs to accelerate malware development. There were discovered specific clues in the recent Python-based loaders of the malicious software. Specifically, there is a static API key field with the value "your_secret_key_here" that a human would most likely change to something else. In addition, code comments and numerous unused functions indicated the use of AI to generate the code. Based on these characteristics, researchers have concluded with certainty that TA4922 uses AI to rapidly create new malware strains.
This tool probably enables the attackers to quickly produce different malware families, which is indeed happening now since TA4922 develops totally new strains within several weeks. Such fast activity can hardly be achieved without any help from the automation technology and results in highly advanced malware that can compete with those developed by state-sponsored cyber gangs, but their goal is still cybercriminal activities.
TA4922 is not only a fast-moving threat. It actively conducts large-scale phishing campaigns together with various pieces of malware and legitimate tools. However, the expansion to other regions makes its activities even more dangerous, since TA4922 recently became active in Europe and Africa besides East Asia.
Case Study: Xcitium vs. TA4922 Campaign
This demonstration highlights how Xcitium protects endpoints against malware associated with TA4922, a threat group known for delivering loaders, remote access trojans (RATs), and information-stealing malware through large-scale phishing campaigns.
The sample executed in this test represents the type of malware used to establish persistence, communicate with attacker-controlled infrastructure, and deploy additional payloads onto compromised systems.
Rather than relying on signatures, threat intelligence feeds, or reputation-based detection, Xcitium’s ZeroDwell technology automatically classifies the unknown file as untrusted and runs it within an isolated environment from the moment it is launched.
As the malware attempts to create processes, modify the system, and initiate network communications, all activity remains confined within isolation and is prevented from interacting with the host operating system.
The result is complete protection against both known and previously unseen threats, ensuring that persistence mechanisms, payload delivery attempts, and attacker communications cannot compromise the endpoint.
By eliminating the risk posed by unknown files at execution time, Xcitium keeps systems secure, operational, and uncompromised throughout the attack lifecycle.
MITRE ATT&CK Tactics, Techniques, and Procedures (TTPs)
Campaign Attack Lifecycle (TTPs)
Indicators of Compromise (IOCs)
SHA256 Hashes
- 314f4b59535d1b783e1c20c2be00f9e30f8ed27b2e21fad06a73b47ea43279ef
- RomulusLoader / SyncFuture ZIP Archive
- Filename:
Alles in dem schuppen.zip
- 2d2a251a88632f010fd9671789746908eeccaa5bc5c0a5d25e4649efe4f5b15d
- RomulusLoader / SyncFuture Executable
- Filename:
Alles in dem schuppen.exe
- 0857148fb0bc4aa7adf967ede2307bdb4fc427065d5b6a6db132688a5a8e1eb8
- RomulusLoader DLL
- Filename:
teamspeak_control.dll
- e0a6a71c605d9a4076147e9537f82f79f1e1eccadc874595160aa4637ff4088c
- SilentRunLoader Executable
- de82998ad5fcd63deae030803388e0fb4290d6223fda82368fd25b99b823f0d2
- SilentRunLoader ZIP Archive
- 9d0a55c545c4147956db2c2667c4ed931a2875309147548b1dfdd216228f5f73
- SilentRunLoader Executable
Domains
ws.ztts88.cyou
URLs
https://ws.ztts88.cyou/file/cg.exehttps://ws.ztts88.cyou/upload.php
IP Addresses
206.238.115.58154.211.86.11018.139.83.110103.214.172.33
Malware Families
- Atlas RAT
- RomulusLoader
- SilentRunLoader
- ValleyRAT (Winos4.0)
Legitimate Services Abused
- GoFile
- MediaFire
- LimeWire
- AnyDesk
- SyncFuture
Common Lure Themes
- Human resources notifications
- Salary adjustment notices
- Payroll-related documents
- VAT filing requests
- Tax compliance communications
- Benefits enrollment messages
- Invoice-related correspondence
- Business document review requests
Observed Payload Components
- Atlas RAT
- Browser credential theft modules
- Chrome cookie stealers
- Screenshot capture functionality
- Audio recording capability
- Remote access software deployment
- DLL side-loading mechanisms
- Sandbox and virtualization detection routines
TA4922 SHA-1 Samples & Zero‑Dwell Threat Intelligence Reports
Conclusion: Localized Phishing Has Become Global Intrusion
TA4922 shows how quickly a regional cybercrime group can evolve into a global threat. What began as localized phishing across East Asia has expanded into Europe and Africa, with country-specific lures, business-themed messages, and malware built to blend into normal corporate workflows. The emails look local. The tools look legitimate. The outcome is global compromise.
This is not generic phishing anymore. It is targeted social engineering paired with modern malware delivery.
Why This Threat Works So Well
TA4922 succeeds because it exploits the exact routines employees already trust.
- Payroll, tax, HR, and invoice themes match real business processes
- Local language and regional context reduce suspicion
- Cloud file hosts make downloads appear familiar
- Messaging apps move victims outside email security controls
- DLL sideloading hides malware behind legitimate executables
- Remote management tools like AnyDesk help attackers blend into IT activity
Once the victim runs the file, the campaign shifts from deception to control.
Where Xcitium Changes the Outcome
For organizations using Xcitium Advanced EDR, this attack would not succeed.
- Unknown payloads are isolated the moment they execute
- DLL sideloading attempts cannot freely load malicious components
- Atlas RAT, loaders, and stealers lose the ability to touch real systems
- Code can run without being able to cause damage
- Credential theft, persistence, and remote-control activity are stopped before impact
Even when TA4922 uses trusted business themes and legitimate-looking tools, the attack fails because the malware never gains the freedom it needs to operate.
Stop Social Engineering Before It Becomes System Control
TA4922 proves that cybercrime is becoming more localized, more automated, and more convincing. Training users matters, but prevention must also stop execution when deception succeeds.
Protect users from localized phishing.
Stop malware at the moment it runs.
Choose Xcitium Advanced EDR, powered by the patented Zero-Dwell platform.
