A sophisticated cybercrime group known as TA4922 is raising alarms across the global security community.
The group has been deploying a growing arsenal of malware, including Atlas RAT, RomulusLoader, SilentRunLoader, and ValleyRAT, against organizations in Japan, the United Kingdom, Germany, and across Southeast Asia.
These campaigns are financially motivated and show a level of planning that sets TA4922 apart from typical criminal groups. The group’s reach is no longer regional. It is becoming a global threat.
What makes TA4922 especially dangerous is how it tricks its victims. The group sends carefully crafted emails disguised as messages from HR departments, tax authorities, and payroll teams.
These messages are written in the target’s local language and look convincing enough to fool cautious employees. Once a victim clicks a link or opens an attachment, the malware silently installs itself.
Analysts at Proofpoint identified and documented this activity in a detailed threat report shared with Cyber Security News (CSN). According to Proofpoint, TA4922 is a highly sophisticated actor with a rapidly evolving malware arsenal.
The group is assessed to be financially motivated, with goals including data theft, fraud, and persistent access to victim environments. Proofpoint notes that TA4922 currently conducts more unique campaigns than any other tracked cybercrime actor in their threat data.
The group first appeared on Proofpoint’s radar in spring 2025, initially focused on East Asia. By early 2026, TA4922 had dramatically expanded into Europe and South Africa.
The group mixes malicious activity with legitimate tools and trusted cloud hosting services, making their attacks harder to detect.
One of the more alarming aspects of TA4922’s behavior is how fast it builds new tools. Proofpoint assessed with high confidence that the group likely uses AI coding tools to rapidly develop new Python-based malware.
Unchanged placeholder values in SilentRunLoader’s code, such as the string “your_secret_key_here,” suggest code was generated with minimal review. This fast development cycle means defenders are constantly chasing new variants.
TA4922 Deploys Atlas RAT, RomulusLoader, SilentRunLoader, and ValleyRAT
TA4922 ran several notable campaigns between March and April 2026, each deploying different malware. In early March, the group sent HR-themed emails to organizations in Japan disguised as salary adjustment notices.
These carried ZIP files hosted on GoFile, and once opened, triggered DLL sideloading to deliver Atlas RAT, which connected to a command-and-control server at 206.238.115.58 over port 886.
A second Atlas RAT campaign in April targeted organizations in the UK and Germany using HR lures with filenames like “Paperwork.zip.” RomulusLoader appeared in late March, targeting Japanese organizations via LimeWire-hosted files.
In mid-April, TA4922 used RomulusLoader to push legitimate remote monitoring tools such as AnyDesk and SyncFuture, blending into normal network traffic.
SilentRunLoader was deployed against UK targets using fake tax authority emails, stealing Chrome credentials and sending them to an actor-controlled server.
Atlas RAT is a fully featured backdoor with capabilities including keylogging, screen capture, webcam recording, file management, and remote command execution.
It runs multiple anti-sandbox checks and communicates with its server using ChaCha encryption. ValleyRAT, built on the Winos4.0 framework, adds DDoS support and downloads additional modules on demand. Together, these tools give TA4922 deep and persistent access to compromised systems.
Defending Against TA4922 and Its Malware Tools
Organizations need to act now to reduce their exposure to this threat. Proofpoint recommends enforcing application allowlisting on trusted directories to prevent unapproved executables from running.
Teams should also monitor or prevent execution from temporary folders like %TEMP% and %APPDATA%, commonly abused by malware like RomulusLoader. Watching for executables written to root directories can help catch suspicious activity early.
Network defenders should flag traffic to unusual ports, particularly port 1234, used by RomulusLoader’s C2 infrastructure. Applying least-privilege principles across accounts limits how much damage an attacker can cause once inside a network.
Since TA4922 is known to move victims from email to messaging platforms like WhatsApp and Microsoft Teams, security teams should train employees to recognize and report this social engineering before it leads to a full compromise.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| IP Address | 206.238.115.58 | Atlas RAT C2 (Campaign 1, March 2026) |
| IP Address | 154.211.86.110 | Atlas RAT C2 (Campaigns 2 and 3, April 2026) |
| IP Address | 43.156.77.97 | RomulusLoader C2 (March 2026) |
| IP Address | 103.214.172.33 | RomulusLoader First-stage C2 (April 2026) |
| IP Address | 18.139.83.110 | SilentRunLoader data exfiltration IP |
| Domain | ws[.]ztts88[.]cyou | SilentRunLoader C2 domain |
| URL | https://ws.ztts88[.]cyou/file/cg[.]exe | SilentRunLoader payload download URL |
| URL | https://ws.ztts88[.]cyou/upload[.]php | SilentRunLoader data exfiltration URL |
| URL | https://nwphotoblog[.]com | URL used in RomulusLoader/SyncFuture campaign |
| Domain | aeya388[.]club | ValleyRAT (Winos4.0) C2 domain |
| SHA256 | a648db354820ea4d02940cb1702b35974513b7aae83f6dffaacaac4ba31f9295 | ZIP archive delivering Atlas RAT (March 2026) |
| SHA256 | 584a9448dda46bd590d7a2f86228100d2ae6e0d6d990c1a4459ed5ee28e07ae8 | Atlas RAT DLL (libcef.dll, March 2026) |
| SHA256 | 66a3836b9a17771bce2161f6b73cbc2494a91e49d6aa30d2d53711e8d10de60d | ZIP archive (Paperwork.zip) delivering Atlas RAT |
| SHA256 | 4fcfa88fffacbce30bbe2136753c9ab5a4c092940d2406fd9d44d5118e745b9d | ZIP archive (HR (2).zip) delivering Atlas RAT |
| SHA256 | a75eab31d7ff06b6864960ad7e633be3f9730ff3d3873e4539c8f425fc632dad | Atlas RAT DLL (libcef.dll, April 2026) |
| SHA256 | 40b41979b317406f8abc601677a3b93aaf6ef8ab8ac188b8f383735e388f13b5 | RAR archive delivering RomulusLoader |
| SHA256 | 8c9b6542f73c5c7fe455b52f5101314407da4f65ff48e7ebf6896605e607c8d0 | RomulusLoader DLL (vulkan-1.dll) |
| SHA256 | 3119cf37b8267db8a2dcd11d9a83d5237d7ef1e42388e7c9afa2831b91da8a2d | RomulusLoader component (vulkan-1.bin) |
| SHA256 | 314f4b59535d1b783e1c20c2be00f9e30f8ed27b2e21fad06a73b47ea43279ef | RomulusLoader/SyncFuture ZIP archive |
| SHA256 | 2d2a251a88632f010fd9671789746908eeccaa5bc5c0a5d25e4649efe4f5b15d | RomulusLoader/SyncFuture executable |
| SHA256 | 0857148fb0bc4aa7adf967ede2307bdb4fc427065d5b6a6db132688a5a8e1eb8 | RomulusLoader/SyncFuture DLL |
| SHA256 | e0a6a71c605d9a4076147e9537f82f79f1e1eccadc874595160aa4637ff4088c | SilentRunLoader executable (March 2026) |
| SHA256 | de82998ad5fcd63deae030803388e0fb4290d6223fda82368fd25b99b823f0d2 | SilentRunLoader ZIP (April 2026) |
| SHA256 | 9d0a55c545c4147956db2c2667c4ed931a2875309147548b1dfdd216228f5f73 | SilentRunLoader executable (April 2026) |
| File Name | vulkan-1.dll | RomulusLoader malicious DLL masquerading as Vulkan component |
| File Name | libcef.dll | Atlas RAT malicious DLL used in multiple campaigns |
| File Name | cg.exe | SilentRunLoader next-stage compiled Python payload |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
