Chinese Cybercrime Group Expands into Europe with Atlas RAT and New Malware Arsenal

TA4922 ramps up operations across Europe, deploying Atlas RAT, custom loaders, and surveillance-capable malware in high-volume phishing campaigns.

Chinese-speaking cybercrime group TA4922 has expanded its operations into Europe. Security researchers have observed a sharp rise in attacks targeting organizations in Germany, Italy, the United Kingdom, and South Africa.

The group previously focused on East Asian targets. However, recent campaigns show a broader strategy and a higher attack volume. Researchers now consider TA4922 one of the most active cybercrime groups operating today.

Phishing Campaigns Drive Initial Access

TA4922 relies heavily on phishing attacks. The group creates localized lures that match the target's region and business environment.

Victims receive emails disguised as payroll notices, tax audits, VAT filings, invoices, and government compliance requests. Human resources themes also appear frequently.

In addition, attackers contact targets through WhatsApp, Microsoft Teams, and LINE. This multi-channel approach increases the chances of successful compromise.

Atlas RAT Emerges as a Key Threat

Researchers recently identified Atlas RAT, a previously undocumented remote access trojan used in these campaigns.

The malware gives attackers extensive control over infected systems. Once installed, Atlas RAT can collect system information and steal targeted files. It can also download additional payloads and plugins.

The malware includes surveillance features as well. Operators can capture screenshots, record keystrokes, access webcams, and record audio. They can also restart or shut down compromised devices remotely.

Advanced Evasion Techniques

Atlas RAT includes several anti-analysis features. These functions help the malware avoid detection by security products and researchers.

The malware searches for indicators linked to sandbox environments and virtual machines. It also checks for specific services and registry entries before executing its malicious functions.

As a result, defenders may struggle to identify infections during the early stages of an attack.

New Malware Loaders Expand Capabilities

Researchers also discovered a new malware loader called RomulusLoader.

This tool downloads and executes additional payloads on compromised systems. It uses techniques such as process hollowing, shellcode injection, and direct execution.

In several incidents, RomulusLoader deployed legitimate remote management tools. These included AnyDesk and SyncFuture. By using trusted software, attackers can blend malicious activity with normal administrative operations.

SilentRunLoader Targets Browser Data

Another newly identified threat is SilentRunLoader, a Python-based loader and information stealer.

The malware focuses on extracting sensitive browser data. It targets saved credentials, cookies, and browsing history from Google Chrome.

Researchers observed attacks against organizations in the United Kingdom and Southeast Asia. Many of these campaigns used fake government-related messages to lure victims.

Concerns Over AI-Assisted Malware Development

Researchers believe TA4922 may be using large language models to accelerate malware development.

This assessment comes from coding patterns found in the malware. Analysts identified placeholder values, comments, and structures commonly associated with AI-generated code.

Although the evidence is not conclusive, it highlights how threat actors may use artificial intelligence to speed up malware creation and modification.

Growing Surveillance Risks

TA4922 is primarily considered a financially motivated cybercrime group. However, its malware includes capabilities often associated with surveillance operations.

Features such as webcam access, audio recording, and extensive data collection could attract espionage-focused actors. These tools could also be shared or sold to other threat groups.

This overlap between cybercrime and intelligence gathering continues to concern security professionals.

What Organizations Should Do

Organizations should strengthen their defenses against phishing attacks and unauthorized remote access.

Security teams should deploy multi-factor authentication, improve employee awareness training, and monitor endpoint activity closely. Threat hunting and proactive monitoring can also help identify suspicious behavior before attackers establish persistence.

The rapid growth of TA4922 demonstrates how cybercriminal groups continue to evolve. Their expanding malware arsenal and aggressive campaign volume make them a threat that organizations cannot ignore.