A cybercriminal group identified as TA4922 is causing significant concern within the global cybersecurity community. This group has been actively deploying a diverse range of malware, including Atlas RAT, RomulusLoader, SilentRunLoader, and ValleyRAT. Their targets span across Japan, the United Kingdom, Germany, and Southeast Asia.
Global Reach and Sophisticated Tactics
TA4922 is not an ordinary cybercrime group. Their operations are financially motivated and exhibit meticulous planning, elevating them to a significant global threat. They have transcended regional boundaries, marking their presence in multiple continents.
The group employs sophisticated phishing techniques, sending emails that mimic communications from HR departments, tax bodies, and payroll services. These emails are crafted in the local language of the target, making them highly convincing. Once a recipient clicks a link or opens an attachment, the malware is quietly installed on their system.
Proofpoint’s Findings and Analysis
In an investigative report, Proofpoint analysts have documented TA4922’s activities, highlighting their sophistication and evolving malware arsenal. The group, first identified in spring 2025, initially targeted East Asia but has since expanded into Europe and South Africa by early 2026. Their use of legitimate tools and cloud services complicates detection efforts.
Proofpoint has observed that TA4922 is rapidly developing new malware variants, likely using AI coding tools. Placeholder values in their code indicate minimal human review, accelerating their development cycle and challenging cybersecurity defenses.
Recent Campaigns and Techniques
Between March and April 2026, TA4922 launched several high-profile campaigns. In March, they targeted Japanese organizations with HR-themed emails, leading to the deployment of Atlas RAT via ZIP files. These files, hosted on platforms like GoFile, executed DLL sideloading to establish a connection with command-and-control servers.
Subsequent campaigns in April targeted the UK and Germany with similar tactics. The group also utilized RomulusLoader to distribute legitimate remote monitoring tools, blending malicious activity with normal network traffic. SilentRunLoader was employed in fake tax authority emails to exfiltrate Chrome credentials to a controlled server.
Defensive Measures and Future Outlook
Organizations must take immediate action to mitigate risks posed by TA4922. Proofpoint advises enforcing application allowlisting to block unauthorized executables, monitoring execution from temporary folders, and flagging traffic on unusual ports. Adopting least-privilege principles can limit damage if an attacker gains access.
As TA4922 continues to evolve, staying vigilant and informed about their tactics is critical. Training employees to recognize phishing attempts and maintaining robust threat detection systems will be key in defending against future attacks.
