SilentRunLoader
SilentRunLoader is a Python-based loader and information stealer used by the Chinese-speaking, financially motivated threat actor TA4922. Proofpoint first identified it on 30 March 2026 in campaigns targeting organizations in the United Kingdom, and later observed it in attacks against recipients in Southeast Asia and the U.K. The malware was delivered through localized phishing lures, particularly fake tax authority, benefits, and compliance-themed emails, including HMRC-themed messages, with delivery via links to MediaFire-hosted archives and through DLL sideloading. SilentRunLoader is described as both a loader and a Google Chrome stealer. It harvests sensitive data from Google Chrome, including stored credentials, cookies, and browsing information, and exfiltrates that data to actor-controlled infrastructure. Proofpoint reported exfiltration via HTTP POST to ws[.]ztts88[.]cyou, which resolved to 18[.]139[.]83[.]110, and also stated that the malware sent Chrome credentials to previously observed TA4922-controlled command-and-control infrastructure. The malware downloads or drops a next-stage executable named cg.exe. Proofpoint described it as a compiled Python sample whose internal name is "silent_run_and_upload.py". The report also noted an unchanged placeholder string, "your_secret_key_here," and assessed with high confidence that TA4922 likely used large language models to help develop some of its newer Python malware, including SilentRunLoader. SilentRunLoader is part of a broader TA4922 toolkit that also includes Atlas RAT, RomulusLoader, and ValleyRAT/Winos4.0, and has been used in campaigns against organizations in Europe and Asia.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
But it also uses a loader called SilentRunLoader, and SilentRunLoader itself doubles as a Google Chrome stealer.
Techniques & procedures
13 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniquesIn recent months, however, attacks mounted by the hacking group have relied on phishing campaigns using human resources- and business-themed lures for credential phishing, fraud, and malware delivery, including Atlas RAT, RomulusLoader, and SilentRunLoader.
The group sends carefully crafted emails disguised as messages from HR departments, tax authorities, and payroll teams... Once a victim clicks a link or opens an attachment, the malware silently installs itself.
Once a victim clicks a link or opens an attachment, the malware silently installs itself.
Execution
1 techniqueProofpoint assessed with high confidence that the group likely uses AI coding tools to rapidly develop new Python-based malware.
Stealth
1 techniqueThe target receives a legitimate executable file and a malicious DLL (the Atlas RAT loader) that is sideloaded into the executable’s process.
Credential Access
2 techniquesSilentRunLoader itself doubles as a Google Chrome stealer.
SilentRunLoader was deployed against UK targets using fake tax authority emails, stealing Chrome credentials and sending them to an actor-controlled server.
Discovery
1 techniqueUpon execution, the payload installed SilentRunLoader which harvested sensitive data from Google Chrome including stored credentials, cookies, and browsing information.
Collection
1 techniqueThe downloaded executable (cg.exe) is another compiled Python executable and is responsible for gathering Chrome data and packing it into an archive, at which point the main Python code (SilentRunLoader) executes.
Command and Control
2 techniquesAtlas RAT ... connected to a command-and-control server at 206.238.115.58 over port 886... Network defenders should flag traffic to unusual ports, particularly port 1234, used by RomulusLoader’s C2 infrastructure.
In the latter case, it'll use a loader called RomulusLoader to bring the RMM onto the host system. But it also uses a loader called SilentRunLoader
Exfiltration
2 techniquesSilentRunLoader was deployed against UK targets using fake tax authority emails, stealing Chrome credentials and sending them to an actor-controlled server.
Collected data was exfiltrated via HTTP POST requests to C2 infrastructure hosted at “ws[.]ztts88[.]cyou” which resolved to IP address 18[.]139[.]83[.]110.
IOCs tracked for this family
7 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
SilentRunLoader is a Python-based malware/loader used in phishing campaigns that steals Chrome credentials and exfiltrates them to attacker-controlled infrastructure.
A Python-based loader and stealer that harvests Google Chrome stored credentials, cookies, and browsing information, and is also used for malware delivery and data exfiltration.
Loader used by TA4922 that also functions as a Google Chrome stealer.
A Python-based stealer and loader that targets Google Chrome data, including stored credentials, cookies, and browsing information, and exfiltrates the data to attacker-controlled infrastructure.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.