A Chinese Cybercrime Crew Just Went Global: TA4922 Hits the UK, Germany and Beyond
TA4922, a financially motivated Chinese-speaking hacking group, has expanded from East Asia to the UK, Germany and beyond using Atlas RAT. Inside the campaign.
A hacking group that spent years preying on companies in East Asia has suddenly turned west. Security firm Proofpoint reports that TA4922, a Chinese-speaking and financially motivated cybercrime crew, has expanded its attacks to the United Kingdom, Germany, Italy and South Africa, signalling that a once-regional threat is now a global one.
Who TA4922 is
Proofpoint describes TA4922 as a Chinese-speaking actor that historically targeted Japan, Taiwan, South Korea, Singapore and India. Its tradecraft overlaps with a group known as Silver Fox, but TA4922 is focused on money rather than espionage: stealing data, committing fraud, reselling access, and keeping a persistent foothold in victim networks. That financial motive is exactly why its move into wealthy Western markets matters.
How the attacks work
The group leans on convincing, localised phishing. Its lures impersonate payroll notices, tax audits, VAT filings, government compliance notices, invoices and human-resources communications, the kind of email an employee feels obliged to open. In April 2026, TA4922 used HR-themed lures against organisations in the UK and Germany to deliver Atlas RAT through a technique called DLL side-loading, and used tax and business themes against firms in Japan and Germany to drop a tool called RomulusLoader.
A notable tactic is the move off email. The attackers try to shift conversations to channels like LINE, WhatsApp and Microsoft Teams, where enterprise security tools have less visibility, making it easier to deliver malware or extract data unseen.
The malware arsenal
TA4922's toolkit mixes known and new tools:
- Atlas RAT (also called AtlasCross RAT), a remote-access trojan that can perform system reconnaissance, transfer files, log keystrokes, capture screenshots, access the webcam and record audio.
- ValleyRAT (also known as Winos 4.0), an established remote-access trojan.
- RomulusLoader and SilentRunLoader, previously undocumented tools. SilentRunLoader is a Python-based loader and stealer built to harvest credentials, cookies and browsing data from Google Chrome and send them to attacker-controlled servers.
What it means for Western businesses
For companies in the UK, Europe and beyond, TA4922's arrival is a reminder that geography is no longer protection. The defences are familiar but effective: be sceptical of unexpected payroll, tax or HR emails, treat requests to move a work conversation onto WhatsApp or LINE as a red flag, and ensure security teams can detect DLL side-loading and credential theft from browsers. A financially driven group that has just proven it can localise its attacks for new countries rarely stops at four.