- A China-linked cybercrime group, TA4922, has expanded its phishing campaigns to target organizations across Europe.
- The group employs a rapidly evolving arsenal of malware, including newly documented loaders like RomulusLoader and SilentRunLoader.
- While financially motivated, the actor’s surveillance-capable malware could be exploited by or sold to espionage groups.
A China-linked cybercrime group known as TA4922 has significantly widened its geographic scope, launching phishing campaigns against European organizations in the U.K., Germany, and Italy as of June 2026. These attacks leverage business-themed lures to deploy sophisticated malware for financial gain. Consequently, the group’s tactics showcase a “rapid operational tempo” and an expanding toolkit.
This arsenal includes known remote access trojans like ValleyRAT and Atlas RAT, according to Proofpoint. However, the actor also uses previously undocumented tools such as RomulusLoader and SilentRunLoader. The enterprise security company characterizes TA4922 as conducting “more unique campaigns” than any other threat actor it tracks, which you can read about in their report.
A notable shift involves moving conversations to platforms like WhatsApp or Microsoft Teams after initial contact. This technique allows attackers to bypass enterprise security controls more easily. Meanwhile, campaigns in late March and April 2026 used tax authority and human resources lures to deliver malware via DLL side-loading.
For instance, a March 30 campaign targeting the U.K. delivered the Python-based SilentRunLoader to steal Chrome data. Another wave in mid-April used business themes to deploy RomulusLoader, which then installed tools like AnyDesk. Proofpoint assesses the actor as financially motivated, focused on “data theft, fraud, access resale, or persistent access.”
“While the actor is assessed to be financially motivated, the capabilities of the malware include the potential for surveillance, which could be used by or sold to espionage groups,” Proofpoint said. The global expansion demonstrates how such threats can quickly scale to new targets regardless of geography.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
