Chinese hackers use new Atlas RAT malware in European cyberattacks
Source: Bleeping Computer
A Chinese‑speaking cybercrime group has expanded its targeting to Europe, deploying previously undocumented malware and the Atlas backdoor.
Tracked as TA4922, the threat actor is associated with financially motivated attacks aimed at breaching networks for fraud, data theft, and the sale of access.
TA4922 previously targeted organizations in East Asia, but recent campaigns have focused on entities in Germany, Italy, the United Kingdom, and South Africa.
Researchers at Proofpoint note that TA4922 shares overlaps with activity previously reported as ‘Silver Fox’ and ‘Void Arachne[source][1], but the activity cluster is tracked separately as it aligns more with cybercrime than espionage.
Since March, TA4922’s activity has increased sharply, and since April it has shown unprecedented operational diversity and a high tempo.
“TA4922 currently conducts more unique campaigns than any other tracked cybercrime threat actor in Proofpoint threat data, demonstrating high operational tempo, a variety of lures, and multiple objectives.” – Proofpoint
“While the actor is assessed to be financially motivated, the capabilities of the malware include the potential for surveillance, which could be used by or sold to espionage groups.” – Proofpoint
The attacker uses localized phishing lures crafted to appear as payroll notices, tax audits, VAT filings, government compliance notices, invoices, and human‑resources communications. Victims are also contacted via WhatsApp, LINE, and Microsoft Teams.
German lure – Source: Proofpoint
Atlas RAT and custom loaders
Proofpoint reports that TA4922 has significantly expanded its malware arsenal and may be using large language models (LLMs) to accelerate development, based on placeholder values, code comments, and patterns typical of AI‑generated code.
Atlas RAT
Atlas RAT is a recently identified remote‑access trojan that offers attackers the following capabilities:
- System reconnaissance
- Targeted file theft
- Plugin and payload downloads
- Keylogging
- Screenshot capturing
- Audio and webcam recording
- System shutdown/reboot commands
The malware includes several anti‑sandbox and anti‑analysis checks, such as looking for usernames and registry keys associated with Microsoft Defender Application Guard, the CExecSvc service, and OS UUID.
Checks performed by the Atlas RAT loader – Source: Proofpoint
RomulusLoader
A new loader named RomulusLoader downloads and executes additional payloads using process hollowing, shellcode injection, and direct execution. It has been used to launch legitimate remote‑management tools such as AnyDesk and SyncFuture (a remote‑monitoring tool popular in China), the latter being observed in attacks against German entities.
Overview of the RomulusLoader operation – Source: Proofpoint
SilentRunLoader
Proofpoint also identified a Python‑based loader and information stealer called SilentRunLoader, which harvests Google Chrome credentials, cookies, and browsing data. This malware was deployed against organizations in the United Kingdom and Southeast Asia using lures that impersonated government services.
Winos4.0 (ValleyRAT)
The researchers spotted the deployment of Winos4.0, a previously documented malware family tracked by Proofpoint as ValleyRAT, providing operators with a full set of remote‑access features.
Proofpoint’s report includes indicators of compromise for the malware and command‑and‑control (C2) infrastructure used in TA4922’s attacks.
References