2026-06-03 TA4922 The Suspected Chinese Crime Group is Going Global

📃Title: TA4922: The Suspected Chinese Crime Group is Going Global
📅Date: 2026-06-03
🔗References:

• https://www.proofpoint.com/us/blog/threat-insight/ta4922-suspected-chinese-crime-group-going-global

Description

TA4922 is a highly sophisticated Chinese-speaking threat actor demonstrating rapid operational tempo and continually evolving malware capabilities. Initially targeting East Asia, particularly Japan, the group has expanded globally to Europe and Africa. The actor deploys multiple malware families including Atlas RAT, RomulusLoader, SilentRunLoader, and ValleyRAT (Winos4.0), alongside legitimate remote management tools like AnyDesk and SyncFuture. Campaigns use localized lures themed around HR, payroll, tax, and invoicing, targeting hundreds to thousands of recipients per campaign. TA4922 conducts credential phishing, fraud operations including credit card theft, and attempts to shift communications to out-of-band channels like LINE, WhatsApp, and Microsoft Teams. The group leverages legitimate cloud hosting services and trusted software for delivery and persistence, combining advanced tradecraft with financially motivated objectives such as data theft, fraud, access resale, and persistent remote access.

Threat Actor

TA4922

🔖Rectifyq Taxonomies:

• relevancy: 🔴 Highly Relevant
• category: ⚔Threat
• sub-category: campaign-analysis
• target: broad-based
• MY-relevancy: relevant

🔖MISP Galaxies:

• producer= Proofpoint
• target-information=“British Indian Ocean Territory”
• target-information=“Germany”
• target-information=“India”
• target-information=“Indonesia”
• target-information=“Italy”
• target-information=“Japan”
• target-information=“Malaysia”
• target-information=“Singapore”
• target-information=“South Africa”
• target-information=“Taiwan”
• target-information=“United Kingdom”
• malpedia=“ValleyRAT”
• mitre-attack-pattern=[‘T1113’, ‘T1056.001’, ‘T1204.002’, ‘T1573.001’, ‘T1566.002’, ‘T1566.001’, ‘T1119’, ‘T1005’, ‘T1140’, ‘T1055.003’, ‘T1055’, ‘T1125’, ‘T1041’, ‘T1566’, ‘T1571’, ‘T1055.012’, ‘T1027’, ‘T1598’, ‘T1574.002’, ‘T1105’, ‘T1204.001’, ‘T1055.001’, ‘T1566.003’]

MISP event uuid: 6a7790d3-55d8-46c0-9903-9a5dc28211d9

Indicator of Compromise (IoCs)

type,value,comment
md5, 315bda377beafb746f1c2f4fba430867, 'RomulusLoader / SyncFuture executable (Alles in dem schuppen.exe)'
md5, 3e7066e44132e64360a30974b6ea3671, 'RomulusLoader / SyncFuture DLL (teamspeak_control.dll)'
md5, 0ffb16209def5500ff4380d9e8093437, 'RomulusLoader / SyncFuture ZIP (Alles in dem schuppen.zip)'
md5, c0738cfa4f1488956ef4aef054c3144a, 'Atlas RAT DLL (libcef.dll)'
md5, da3161679965c898574449b7d789451c, 'SilentRunLoader Executable'
md5, 2960b323ffcd4cf419d4b0c9ba3648e7, 'ZIP archive (【給与調整のお知らせ】.zip) delivering Atlas RAT'
md5, 1bd939d2bcc0851348263cd06092686d, 'Atlas RAT DLL (libcef.dll)'
md5, 3cb0a1f572056cd4eb65c19c3c85c7e2, 'SilentRunLoader ZIP'
md5, 2e738dae88d058110c55b63233cee2de, 'SilentRunLoader Executable'
ip-dst, 154.211.86.110, 'Atlas RAT C2'
sha256, 3119cf37b8267db8a2dcd11d9a83d5237d7ef1e42388e7c9afa2831b91da8a2d, 'RomulusLoader component (vulkan-1.bin) No sample in VT\r\nLast check:12/06/2026'
sha256, 40b41979b317406f8abc601677a3b93aaf6ef8ab8ac188b8f383735e388f13b5, 'RAR archive (会社文書.rar) delivering RomulusLoader No sample in VT\r\nLast check:12/06/2026'
sha256, 4fcfa88fffacbce30bbe2136753c9ab5a4c092940d2406fd9d44d5118e745b9d, 'ZIP archive (HR (2).zip) delivering Atlas RAT No sample in VT\r\nLast check:12/06/2026'
sha256, 66a3836b9a17771bce2161f6b73cbc2494a91e49d6aa30d2d53711e8d10de60d, 'ZIP archive (Paperwork.zip) delivering Atlas RAT No sample in VT\r\nLast check:12/06/2026'
sha256, 8c9b6542f73c5c7fe455b52f5101314407da4f65ff48e7ebf6896605e607c8d0, 'RomulusLoader DLL (vulkan-1.dll) No sample in VT\r\nLast check:12/06/2026'
ip-dst, 103.214.172.33, 'RomulusLoader First-stage C2'
ip-dst, 112.121.183.202, ''
ip-dst, 206.238.115.58, 'Atlas RAT C2'
url, https://nwphotoblog.com, 'URL used in RomulusLoader / SyncFuture campaign which hosted a landing page with download button'
url, https://ws.ztts88.cyou/file/cg.exe, 'SilentRunLoader download URL'
url, https://ws.ztts88.cyou/upload.php, 'SilentRunLoader data exfiltration URL'
domain, nwphotoblog.com, 'URL used in RomulusLoader / SyncFuture campaign which hosted a landing page with download button'
hostname, ws.ztts88.cyou, ''
ip-dst, 43.156.77.97, 'RomulusLoader C2'
ip-dst, 18.139.83.110, 'SilentRunLoader data exfiltration IP'

Full IOCs available in Rectifyq’s MISP