Chinese Hackers Deploy Atlas RAT Malware Across European Networks

A Chinese-speaking cybercrime group, TA4922, is hitting Germany, the UK and Italy with new Atlas RAT malware that researchers believe is being built with AI.
A Chinese-speaking cybercrime group is running one of the most active malware operations on the internet right now, and it has turned its attention to Europe. The group, tracked by the security firm Proofpoint as TA4922, has begun deploying a new full-featured remote access trojan called Atlas RAT against organisations in Germany, Italy, the United Kingdom and South Africa, after years of focusing on East Asia. What makes the campaign stand out is not just its speed, but the strong evidence that the attackers are using AI to build their malware faster than defenders can catalogue it.
Who is TA4922?
TA4922 is financially motivated, not a state espionage outfit, though that line is thinner than it sounds. Proofpoint assesses the group as a Chinese-speaking criminal operation whose goals are fraud, data theft and selling access to compromised networks, with code overlaps to activity tracked as Silver Fox and Void Arachne. The catch is that Proofpoint warns the group's tools include "potential for surveillance which could be used by or sold to espionage groups." In other words, a crime group with spy-grade capabilities for hire.
By Proofpoint's count, TA4922 now runs more unique campaigns than any other cybercriminal threat actor it tracks. Its historic targets sit across Asia, most often Japan, along with Taiwan, Korea, Singapore, India, Malaysia and Indonesia. Since March 2026 the tempo has surged, and in April the group pushed into Europe and South Africa.
Inside Atlas RAT
Atlas RAT is a modular backdoor built for total control of an infected Windows machine. Its plugin architecture lets the operators load capabilities on demand, including:
- System reconnaissance and information gathering
- File management and data exfiltration
- Keylogging, clipboard capture and screenshots
- Webcam and microphone surveillance
- Process and window enumeration, and remote shutdown or reboot
It is delivered through DLL sideloading, where a legitimate, signed executable is tricked into loading a malicious library, and it is unusually careful about avoiding analysis. Atlas RAT checks for the sandbox account that Windows Defender Application Guard uses, looks for the "CExecSvc" service that signals a container, hunts for virtual-machine fingerprints such as the "mshome" network suffix, confirms the host's Windows is genuinely activated, and uses direct system calls to slip past security tools. Its command-and-control traffic is encrypted with the ChaCha cipher and opens with an unusual hard-coded check-in string.
The arsenal: more than one tool
Atlas RAT is only one part of a fast-growing toolkit. Proofpoint has documented several custom components working together:
| Malware | Type | What it does |
|---|---|---|
| Atlas RAT | Backdoor | Full remote control, surveillance, modular plugins |
| RomulusLoader | Loader | C-based; process hollowing and injection into svchost.exe / dllhost.exe; delivers later payloads |
| SilentRunLoader | Stealer | Python-based; steals Chrome credentials, cookies and history |
| Winos4.0 / ValleyRAT | C2 framework | Modular remote access, webcam and mic, keylogging, even DDoS |
The group also abuses legitimate software to blend in. It has deployed the remote-management tools AnyDesk and SyncFuture, a remote-monitoring product popular in China, to keep hands-on access, mixing genuine admin tools with its own malware to frustrate detection.
How the attack works
The infection chain is consistent across campaigns:
- A targeted phishing email points to a file on a legitimate sharing service such as GoFile, LimeWire or MediaFire.
- The download is a ZIP or RAR archive containing a clean, signed executable alongside a malicious DLL.
- Running the executable sideloads the DLL, which decrypts and maps shellcode into memory.
- A first-stage payload runs, checks in with the command server, and pulls down the next stage, often Atlas RAT itself.
The lures are local, then the conversation moves
TA4922's phishing is precise. Proofpoint notes the group "rarely mistakenly distributes campaigns," using region-appropriate language and themes built around money and authority: HR notices, salary adjustments, payroll and expense paperwork, tax-authority communications such as VAT filings and audits, and invoices. After the initial contact, the attackers frequently try to move the target off email and onto a messaging app, impersonating a trusted contact or authority and continuing the lure over LINE, WhatsApp or Microsoft Teams.
Case studies: six campaigns in five weeks
Proofpoint documented a rapid series of distinct operations in March and April 2026 that show both the group's range and its European pivot:
- 6 March 2026, Japan: an Atlas RAT campaign using a "Notice of salary adjustment" HR lure, with the payload hosted on GoFile.
- 2 April 2026, UK and Germany: Atlas RAT delivered through archives named "Paperwork.zip" and "HR (2).zip", the group's clearest move into Europe.
- 7 April 2026: an invoice-themed Atlas RAT campaign delivered via a compressed disk-image attachment, reusing the same command server as the early-April European wave.
- 23 March 2026, Japan: a RomulusLoader campaign using corporate-document lures hosted on LimeWire.
- 30 March 2026, UK: a SilentRunLoader campaign themed around VAT and payroll tax, hosted on MediaFire, stealing browser data to an attacker-run server.
- 16 April 2026, Germany: a RomulusLoader operation spoofing a "Munich tax authority audit" to lend the lure local credibility.
The pattern is deliberate: tax and payroll themes that a finance or HR employee opens without a second thought, tied tightly to the specific country being hit.
The AI angle: malware at machine speed
The most consequential finding is how TA4922 appears to be building its tools. Proofpoint assesses with high confidence that the group is likely using large language models to rapidly develop new Python-based malware. The evidence is exactly the kind of thing an AI assistant leaves behind: tell-tale code comments, hard-coded constants left unchanged, and a forgotten placeholder API key reading "your_secret_key_here" sitting inside shipped malware. Combined with the sheer rate at which TA4922 rolls out new tools, it paints a picture of a criminal group using AI to compress malware development from weeks into days, a preview of where cybercrime is heading.
Why it matters beyond Europe
Although the headline is Europe, TA4922's core targeting still spans Asia, and India sits on its established target list alongside Japan, Taiwan, Korea, Singapore, Malaysia and Indonesia. The campaigns are small to medium in size, a few hundred to a few thousand recipients each, which is precisely what makes them dangerous. They are tailored enough to slip past both the recipient and broad email filters. The defining lesson is the blend of real tools, custom malware, cloud hosting and messaging-app social engineering, which makes any single signature-based defence almost useless.
Frequently Asked Questions
Who is behind Atlas RAT?
A Chinese-speaking, financially motivated cybercrime group that Proofpoint tracks as TA4922. It is assessed as criminal rather than state-run, though its surveillance tools could be sold to espionage groups.
Who is being targeted?
Historically organisations across Asia, most often Japan, plus Taiwan, Korea, Singapore, India, Malaysia and Indonesia. Since April 2026 the group has expanded to the UK, Germany, Italy and South Africa.
What makes this campaign notable?
Its speed and its apparent use of AI. Proofpoint believes the group is using large language models to build new malware rapidly, and it now runs more unique campaigns than any other cybercriminal actor the firm tracks.