TA4922 Leverages Diverse Malware and AI for Global Financial Cybercrime Campaigns

The financially motivated cybercrime group TA4922 has emerged as a significant global threat, deploying a diverse and rapidly evolving suite of malware against organizations across Japan, the United Kingdom, Germany, and Southeast Asia. Proofpoint's analysis reveals that TA4922 is not only expanding its geographical reach but also its technical capabilities, making it a challenging adversary for defenders.

The group's modus operandi involves highly convincing, localized phishing lures that impersonate trusted entities such as HR departments, tax authorities, and payroll teams. These carefully crafted messages, often written in the target's native language, are designed to trick employees into clicking malicious links or opening infected attachments. Once executed, these payloads silently install sophisticated malware, including Atlas RAT, RomulusLoader, SilentRunLoader, and ValleyRAT, granting the attackers access to victim systems.

Proofpoint highlights TA4922's remarkable operational tempo, noting that the group conducts more unique campaigns than any other tracked cybercrime actor in their data. Initially observed in spring 2025 with a focus on East Asia, TA4922 dramatically expanded its operations into Europe and South Africa by early 2026. This rapid expansion is partly attributed to the group's ability to quickly develop new tools, with Proofpoint assessing with high confidence that TA4922 likely utilizes AI coding tools to accelerate the creation of new Python-based malware. Evidence of this rapid development includes unchanged placeholder values in malware code, suggesting minimal review before deployment.

Recent campaigns observed between March and April 2026 showcase the group's varied tactics. One campaign in early March targeted Japanese organizations with HR-themed emails containing ZIP files hosted on GoFile, leading to the deployment of Atlas RAT. A subsequent Atlas RAT campaign in April targeted UK and German entities using similar HR lures. RomulusLoader was deployed in late March against Japanese targets via LimeWire-hosted files, and in mid-April, it was used to push legitimate remote monitoring tools like AnyDesk and SyncFuture, blending in with normal network traffic.

The malware deployed by TA4922 offers a range of malicious capabilities. Atlas RAT functions as a full-featured backdoor, capable of keylogging, screen capture, webcam recording, file management, and remote command execution, while employing anti-sandbox techniques and encrypted C2 communication. RomulusLoader, besides its initial payload delivery, can also facilitate the use of legitimate remote access tools. SilentRunLoader focuses on stealing Chrome credentials, and ValleyRAT, built on the Winos4.0 framework, adds DDoS capabilities and the ability to download additional modules.

Defending against TA4922 requires a multi-layered approach. Proofpoint recommends implementing application allowlisting, monitoring or preventing execution from temporary directories, and flagging unusual network traffic, particularly to ports like 1234 used by RomulusLoader. Applying the principle of least privilege can also limit the impact of a successful compromise. Furthermore, continuous employee training on recognizing and reporting sophisticated social engineering tactics, including the shift from email to messaging platforms like WhatsApp and Microsoft Teams, is crucial.

TA4922's blend of sophisticated social engineering, rapid malware development potentially augmented by AI, and the use of legitimate services to mask malicious activity makes them a formidable and evolving threat. Their global reach and financially motivated objectives underscore the need for organizations worldwide to remain vigilant and enhance their defensive postures against these persistent cybercrime operations.