Chinese hackers deploy new Atlas RAT malware in European attacks

A Chinese-speaking cybercrime group has turned its focus toward Europe, deploying a previously undocumented remote access trojan called Atlas RAT along with several new custom loaders. Known to researchers as TA4922, this financially motivated threat actor has historically concentrated on East Asian targets, but recent campaigns now hit organizations in Germany, Italy, the United Kingdom, and South Africa.

Cybersecurity firm Proofpoint tracks TA4922 as a distinct cluster, noting overlaps with activity previously labeled Silver Fox and Void Arachne. However, the group is monitored separately because its operations align more closely with cybercrime than espionage. Since March, the group’s activity has surged, and starting in April, it has demonstrated an unprecedented level of operational diversity and tempo.

“TA4922 currently conducts more unique campaigns than any other tracked cybercrime threat actor in Proofpoint threat data, demonstrating high operational tempo, a variety of lures, and multiple objectives,” the company states in a new report. “While the actor is assessed to be financially motivated, the capabilities of the malware include the potential for surveillance, which could be used by or sold to espionage groups.”

The attackers deploy localized phishing lures that mimic payroll notices, tax audits, VAT filings, government compliance alerts, invoices, and HR communications. They also attempt to reach victims through WhatsApp, LINE messenger, and Microsoft Teams.

Proofpoint’s analysis reveals that TA4922 has significantly expanded its malware toolkit. Researchers believe the group may be using large language models (LLMs) to accelerate malware development, based on placeholder values, code comments, and patterns typical of AI-generated code.

Atlas RAT, the newly identified remote access trojan, provides attackers with capabilities including system reconnaissance, targeted file theft, plugin and payload downloads, keylogging, screenshot capture, audio and webcam recording, and system shutdown or reboot commands. The malware incorporates several anti-sandbox and anti-analysis checks, such as scanning for usernames and registry keys tied to Microsoft Defender Application Guard, the “CExecSvc” service, and OS UUIDs.

The researchers also uncovered RomulusLoader, a new malware loader that uses process hollowing, shellcode injection, and direct execution to download and run additional payloads. RomulusLoader was observed deploying legitimate remote management tools like AnyDesk and SyncFuture, a remote monitoring software popular in China. Oddly, SyncFuture was used specifically in attacks targeting German entities.

Another tool identified is SilentRunLoader, a Python-based loader and information stealer that targets Google Chrome credentials, cookies, and browsing data. This malware was used against organizations in the United Kingdom and Southeast Asia, with lures impersonating government services.

Finally, the researchers spotted the deployment of Winos4.0, a previously documented malware family that Proofpoint tracks as ValleyRAT, which provides operators with a full suite of remote access features.

According to Proofpoint, TA4922 is responsible for more unique campaigns than any other threat actor the company tracks. The group moves quickly, uses multiple lures, and its malware carries surveillance capabilities that could be sold to or used by espionage groups. Proofpoint’s report includes indicators of compromise for the malware and command-and-control infrastructure used in these attacks.