TA4922

TA4922 is a financially motivated, Chinese-speaking cybercrime threat actor tracked by Proofpoint since spring 2025. Proofpoint describes the group as China-linked or suspected China-aligned, likely based in East Asia, and distinct from espionage clusters despite overlaps in tooling, infrastructure, and social engineering with Silver Fox and Void Arachne. TA4922’s objective is to obtain remote access for monetization, including fraud, data theft, access brokering or resale, and persistence. The actor initially focused on Japan and other East Asian targets, including Taiwan, South Korea, Singapore, Malaysia, Indonesia, and India, and later expanded to the United Kingdom, Germany, Italy, and South Africa, with broader references to Europe and Southeast Asia. Proofpoint reported a sharp increase in TA4922 activity in March and April 2026 and assessed that it conducts more unique campaigns than any other cybercrime actor in its dataset. TA4922 relies heavily on localized social engineering. It uses phishing lures tailored to local languages and business processes, commonly themed around tax authorities, payroll, salary adjustments, HR notices, benefits, compliance, invoices, and business communications. The group commonly impersonates finance departments, HR teams, tax agencies, and victims’ colleagues, uses thousands of disposable sender accounts, and often attempts to move conversations from email to out-of-band channels including WhatsApp, Microsoft Teams, and LINE. Observed delivery and execution techniques include malicious links hosted on cloud or file-sharing services, archive attachments, direct executables, credential-phishing pages, DLL sideloading, and abuse of legitimate remote monitoring and management tools. TA4922 has used AnyDesk and SyncFuture after initial compromise. Its malware arsenal includes ValleyRAT (Winos4.0), Atlas RAT, RomulusLoader, and SilentRunLoader. ValleyRAT/Winos4.0 provides full remote access capabilities, and Proofpoint observed newer variants in TA4922 activity. Atlas RAT is a modular backdoor with capabilities including system reconnaissance, file theft, plugin and payload download, keylogging, screenshot capture, audio and webcam recording, clipboard capture, remote command execution, and system shutdown or reboot; it also includes anti-analysis and anti-sandbox checks. RomulusLoader is a loader used to deploy additional payloads and legitimate RMM software, including AnyDesk and SyncFuture, and has been observed using DLL sideloading, process hollowing, shellcode injection, and download-and-execute functionality. SilentRunLoader is a Python-based loader and stealer that targets Google Chrome data, including stored credentials, cookies, and browsing information. Proofpoint also reported TA4922 activity in tax-themed campaigns, including impersonation of tax authorities and multi-stage social engineering designed to move victims out of email before delivering malware or remote access tooling. While Proofpoint assesses TA4922 as cybercrime-focused rather than espionage-focused, it noted that some of the malware used by the actor has surveillance-capable functionality and overlaps with the Silver Fox ecosystem. Known aliases and related names mentioned in the content include ValleyRAT/Winos4.0 for associated malware, Atlas RAT/AtlasCross RAT, and ecosystem overlap with Silver Fox and Void Arachne.