RomulusLoader
RomulusLoader is a malware loader first identified by Proofpoint in TA4922 campaigns observed in March 2026. It is described as a unique loader written in C and used by the Chinese-speaking, financially motivated threat actor TA4922, which has overlap in tooling and tradecraft with the Silver Fox cluster. RomulusLoader was used in phishing campaigns targeting primarily Japanese organizations and later organizations in Germany, with lures themed around corporate, human resources, business, and tax matters. Delivery was observed via LimeWire-hosted archives and DLL side-loading.
RomulusLoader is designed to download and execute additional payloads from command-and-control infrastructure. Reported execution techniques include direct execution, shellcode injection, process hollowing, and DLL side-loading. Proofpoint also described it as using a custom PE loader, dynamic API resolution via PEB/TEB walking and ROR13 hashing, and RC4-encrypted embedded payloads. It copies components to C:\Program Files\Common Files for persistence and injects worker code into processes including svchost.exe and dllhost.exe.
In mid-April 2026, TA4922 used RomulusLoader to deploy legitimate remote monitoring and management tools including AnyDesk and SyncFuture, allowing the activity to blend into normal network traffic and business operations. SyncFuture was specifically noted in attacks targeting German entities. RomulusLoader has been associated with command-and-control over TCP port 1234. Reported infrastructure and related indicators include 43.156.77.97 and 103.214.172.33, and filenames including libcef.dll, vulkan-1.dll, and cg.exe were listed in the broader TA4922 reporting. Proofpoint also recommended monitoring or preventing execution from %TEMP% and %APPDATA% because RomulusLoader abuses those locations.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
In the latter case, it'll use a loader called RomulusLoader to bring the RMM onto the host system.
Techniques & procedures
11 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniquesIn recent months, however, attacks mounted by the hacking group have relied on phishing campaigns using human resources- and business-themed lures for credential phishing, fraud, and malware delivery, including Atlas RAT, RomulusLoader, and SilentRunLoader.
The group sends carefully crafted emails disguised as messages from HR departments, tax authorities, and payroll teams... Once a victim clicks a link or opens an attachment, the malware silently installs itself.
Once a victim clicks a link or opens an attachment, the malware silently installs itself.
Execution
1 techniqueThe shellcode stub resolves its required Windows function addresses. It also resolves several native API functions like ZwAllocateVirtualMemory...
Privilege Escalation
2 techniquesThe researchers also discovered a new malware loader named RomulusLoader, which downloads and executes additional payloads using process hollowing, shellcode injection, and direct execution.
Stealth
4 techniquesRomulusLoader samples Proofpoint researchers analyzed were masquerading as a component of Vulkan Loader...
The researchers also discovered a new malware loader named RomulusLoader, which downloads and executes additional payloads using process hollowing, shellcode injection, and direct execution.
The researchers also discovered a new malware loader named RomulusLoader, which downloads and executes additional payloads using process hollowing, shellcode injection, and direct execution.
The target receives a legitimate executable file and a malicious DLL (the Atlas RAT loader) that is sideloaded into the executable’s process.
Command and Control
3 techniquesAtlas RAT ... connected to a command-and-control server at 206.238.115.58 over port 886... Network defenders should flag traffic to unusual ports, particularly port 1234, used by RomulusLoader’s C2 infrastructure.
In the latter case, it'll use a loader called RomulusLoader to bring the RMM onto the host system. But it also uses a loader called SilentRunLoader
TA4922 might use a remote access Trojan (RAT), like ValleyRAT or Atlas RAT, to access targeted systems, or legitimate remote monitoring and management (RMM) software, like AnyDesk. In the latter case, it'll use a loader called RomulusLoader to bring the RMM onto the host system.
IOCs tracked for this family
8 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
RomulusLoader is a loader used to deliver additional payloads and legitimate remote monitoring tools, with execution commonly staged from temporary folders and C2 traffic observed on unusual ports including port 1234.
A C-based loader used in phishing campaigns and later used to deploy additional tools such as AnyDesk and SyncFuture via DLL side-loading.
Loader used to deploy legitimate remote monitoring and management software such as AnyDesk onto victim hosts.
A loader used in TA4922 campaigns to deliver or load additional payloads after initial infection.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.