Atlas RAT
Atlas RAT is a recently identified modular remote access trojan/backdoor used by TA4922, a Chinese-speaking and likely financially motivated threat actor that has targeted organizations primarily in Japan and more recently in the United Kingdom, Germany, broader Europe, Southeast Asia, and South Africa. Reporting also notes overlap in malware usage, infrastructure, and social engineering with the Silver Fox cluster, and one source attributed Atlas RAT to Silver Fox.
Observed delivery has relied on phishing campaigns using localized HR-, payroll-, business-, and invoice-themed lures. In March and April 2026, TA4922 delivered Atlas RAT via ZIP archives hosted on services including GoFile, followed by DLL sideloading. Reported filenames associated with Atlas RAT delivery include libcef.dll, and campaigns used lure files such as Japanese salary-adjustment and invoice-themed ZIPs as well as "Paperwork.zip" and "HR (2).zip" in UK/Germany targeting.
Atlas RAT is described as a fully featured, multi-stage backdoor. It installs through DLL sideloading, then retrieves a final core module and one or more auxiliary plugins from command-and-control infrastructure. Reported capabilities include system reconnaissance, targeted file theft and file upload, plugin and payload download, remote command execution, keylogging, screenshot capture, clipboard capture, audio recording, webcam/video recording, and system shutdown or reboot.
The malware includes anti-sandbox and anti-analysis logic. Reported checks include usernames and artifacts associated with Microsoft Defender Application Guard, including WDAGUtilityAccount and the WDAG RunOnce registry key, the CExecSvc service, the DNS suffix "mshome," the "vmsmb" device, OS UUID or Windows activation indicators, and related sandbox/virtualization artifacts. One report states Atlas RAT uses direct syscalls via SysWhispers to load shellcode and retrieve its core module. Command-and-control communications were reported as using ChaCha encryption.
Known infrastructure directly associated with observed Atlas RAT campaigns includes 206.238.115.58 over TCP port 886 in a March 2026 Japan-focused campaign and 154.211.86.110 over TCP port 886 in April 2026 campaigns targeting the UK, Germany, and Japan.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
TA4922 might use a remote access Trojan (RAT), like ValleyRAT or Atlas RAT, to access targeted systems.
TA4922 might use a remote access Trojan (RAT), like ValleyRAT or Atlas RAT, to access targeted systems.
Techniques & procedures
23 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniquesIn recent months, however, attacks mounted by the hacking group have relied on phishing campaigns using human resources- and business-themed lures for credential phishing, fraud, and malware delivery, including Atlas RAT, RomulusLoader, and SilentRunLoader.
The group sends carefully crafted emails disguised as messages from HR departments, tax authorities, and payroll teams... Once a victim clicks a link or opens an attachment, the malware silently installs itself.
Once a victim clicks a link or opens an attachment, the malware silently installs itself.
Execution
2 techniquesAtlas RAT is a fully featured backdoor with capabilities including keylogging, screen capture, webcam recording, file management, and remote command execution.
The shellcode stub resolves its required Windows function addresses. It also resolves several native API functions like ZwAllocateVirtualMemory...
Privilege Escalation
1 techniqueStealth
4 techniquesRomulusLoader starts one or more “workers”, which are effectively copies of its code that are injected into other processes (such as svchost.exe and dllhost.exe).
The target receives a legitimate executable file and a malicious DLL (the Atlas RAT loader) that is sideloaded into the executable’s process.
Credential Access
1 techniqueDiscovery
5 techniquesProofpoint’s report highlights Atlas RAT, a recently identified remote access trojan that offers attackers the following capabilities: System reconnaissance
Atlas RAT is a fully featured backdoor with capabilities including keylogging, screen capture, webcam recording, file management, and remote command execution.
The malware also checks for a camera as well as the audio (recording and output) devices on the endpoint and sends this data to the C2.
Collection
6 techniquesProofpoint’s report highlights Atlas RAT, a recently identified remote access trojan that offers attackers the following capabilities: ... Targeted file theft
Atlas RAT is a fully featured backdoor with capabilities including keylogging, screen capture, webcam recording, file management, and remote command execution.
Atlas RAT is a fully featured backdoor with capabilities including keylogging, screen capture, webcam recording, file management, and remote command execution.
Atlas RAT has the following capabilities... Capture clipboard and screenshot data
Proofpoint’s report highlights Atlas RAT... Audio and webcam recording
Atlas RAT is a fully featured backdoor with capabilities including keylogging, screen capture, webcam recording, file management, and remote command execution.
Command and Control
3 techniquesAtlas RAT ... connected to a command-and-control server at 206.238.115.58 over port 886... Network defenders should flag traffic to unusual ports, particularly port 1234, used by RomulusLoader’s C2 infrastructure.
Proofpoint’s report highlights Atlas RAT... Plugin and payload downloads... The researchers also discovered a new malware loader named RomulusLoader, which downloads and executes additional payloads
TA4922 might use a remote access Trojan (RAT), like ValleyRAT or Atlas RAT, to access targeted systems, or legitimate remote monitoring and management (RMM) software, like AnyDesk. In the latter case, it'll use a loader called RomulusLoader to bring the RMM onto the host system.
Exfiltration
1 techniqueAtlas RAT has the following capabilities: List and upload files to the C2 server (data exfiltration)
Impact
1 techniqueProofpoint’s report highlights Atlas RAT... System shutdown/reboot commands
IOCs tracked for this family
7 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Atlas RAT is a fully featured backdoor with capabilities including keylogging, screen capture, webcam recording, file management, and remote command execution.
A remote access trojan delivered via phishing and DLL side-loading to obtain remote access to victim environments.
Remote access trojan used by TA4922 for access to targeted systems; first described by Hexastrike researchers in March and linked in the article to overlaps with Silver Fox.
A remote access trojan included in TA4922's malware toolkit for gaining and maintaining access to victim environments.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.