Chinese Hackers Expand Operations to Europe with New Atlas RAT Malware
A Chinese-speaking cybercrime group, TA4922, has shifted its focus from East Asia to European targets, deploying novel malware including the Atlas RAT backdoor.
A Chinese-speaking cybercrime group, tracked as TA4922, has significantly broadened its operational scope, expanding from its traditional East Asian targets to encompass entities in Europe. This shift is marked by the deployment of previously undocumented malware, most notably the Atlas remote access trojan (RAT), and a notable increase in the group's operational tempo and diversity.
TA4922 is primarily motivated by financial gain, aiming to breach target networks for fraudulent activities, data exfiltration, and the subsequent sale of network access. While previous campaigns focused on East Asia, recent activity has seen a surge in attacks against organizations located in Germany, Italy, the United Kingdom, and South Africa. Researchers at Proofpoint note overlaps between TA4922 and threat actors previously identified as 'Silver Fox' and 'Void Arachne,' but maintain a separate tracking designation due to TA4922's consistent alignment with cybercrime objectives rather than espionage.
The group employs sophisticated social engineering tactics, utilizing localized phishing lures that impersonate common business communications such as payroll notices, tax audits, VAT filings, government compliance alerts, invoices, and human resources correspondence. Beyond traditional email vectors, TA4922 has also been observed attempting to contact potential victims through popular messaging platforms like WhatsApp, LINE, and Microsoft Teams, demonstrating a multi-channel approach to initial compromise.
Proofpoint's analysis suggests that TA4922 may be leveraging large language models (LLMs) to accelerate its malware development, evidenced by the presence of placeholder values, code comments, and patterns indicative of AI-generated code. The newly identified Atlas RAT is a potent tool, offering attackers extensive capabilities including system reconnaissance, targeted file theft, plugin and payload downloads, keylogging, screenshot capture, audio and webcam recording, and system control commands. The malware also incorporates anti-analysis features designed to evade detection by security solutions.
In addition to Atlas RAT, TA4922 has deployed a new malware loader named RomulusLoader. This loader is capable of executing additional payloads through techniques such as process hollowing and shellcode injection. Notably, RomulusLoader has been used to deploy legitimate remote management tools like AnyDesk and SyncFuture, the latter being a remote monitoring tool popular in China, which was surprisingly used in attacks targeting German entities.
Further expanding their toolkit, the threat actor also utilizes SilentRunLoader, a Python-based loader and information stealer designed to exfiltrate credentials, cookies, and browsing data from Google Chrome. This malware has been deployed against organizations in the UK and Southeast Asia, using lures that mimic government services. The group also continues to deploy ValleyRAT (tracked by Proofpoint as Winos4.0), a known malware family providing comprehensive remote access functionalities.
Proofpoint highlights that TA4922 is currently responsible for a greater number of unique campaigns than any other cybercrime actor they track, underscoring their high operational tempo and adaptability. While primarily financially motivated, the surveillance capabilities inherent in their malware arsenal present a potential avenue for espionage groups, either through direct use or by selling access to such actors.
The expanded campaign against European targets, coupled with the development and deployment of advanced, potentially AI-assisted malware like Atlas RAT and RomulusLoader, signifies a growing threat from TA4922. The group's ability to conduct diverse attacks with high frequency and sophisticated lures demands increased vigilance from organizations across the continent.