China-Linked TA4922 Expands Phishing Attacks to UK, Germany, Italy, and South Africa

TA4922, a China-linked financially motivated cybercrime group, has expanded targeting to European organizations (UK, Germany, Italy) and other regions (Japan, South Africa, Southeast Asia). Proofpoint observed March–April 2026 phishing campaigns using HR, tax and invoice lures that deliver Atlas RAT, ValleyRAT, RomulusLoader, and SilentRunLoader via DLL side-loading; SilentRunLoader harvests Chrome data and loaders have been used to deploy AnyDesk and SyncFuture. The actor also moves victim conversations to out-of-band channels (LINE, WhatsApp, Microsoft Teams) to bypass enterprise controls and maintain persistent access.