CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 04, 2026

Chinese Cybercrime Group in Spotlight for Record Campaign Pace

Security Week Archived Jun 04, 2026 ✓ Full text saved

Relying on social engineering, the hacking group engages in credential phishing, malware distribution, and fraud activities. The post Chinese Cybercrime Group in Spotlight for Record Campaign Pace appeared first on SecurityWeek .

Full text archived locally
✦ AI Summary · Claude Sonnet


    A Chinese-speaking cybercrime group tracked as TA4922 has been escalating activities and expanding to new geographies, Proofpoint reports. Relying on social engineering, the hacking group has been continually updating its arsenal, distributing multiple malware families and also engaging in credential phishing and fraud schemes such as credit card theft. While some of TA4922’s activities overlap with those of the threat actors tracked as Silver Fox and Void Arachne, the group does not appear to engage in espionage, unlike those clusters. “The campaigns attributed to TA4922 align more closely with cybercriminal objectives despite the actor’s advanced tradecraft,” Proofpoint says. The cybersecurity firm has been tracking TA4922 malicious email campaigns for over a year and believes that its focus is to obtain remote access to victim organizations for data theft, access resale, fraud, and other financially motivated activities. Using HR, payroll tax, and invoicing themes, the hacking group attempts to lure victims into clicking on malicious links to download malicious payloads or unwittingly share their credentials. Historically, the cybercrime gang has sent hundreds to a few thousand messages per campaign, tailored to specific regions or business functions, targeting organizations in Japan, Taiwan, Korea, Singapore, and India. Recently, the group also started targeting European organizations in the UK, Germany, and Italy, as well as entities in South Africa. TA4922 was also seen launching credential-phishing and imposter campaigns, looking to shift communication from email to out-of-band channels, including messaging platforms such as LINE, WhatsApp, or Microsoft Teams. “Once communication moves to those platforms, the actor is better positioned to extend social engineering, harvest contact information, or deliver malware beyond traditional email security visibility,” Proofpoint says. In March, the threat actor used HR lures in campaigns targeting organizations in Japan with the Atlas RAT backdoor and the RomulusLoader malware loader. In April, the group used HR lures and previous infrastructure in Atlas RAT attacks against organizations in the UK and Germany, but switched to customer service communications lures in another campaign. Multiple April campaigns attributed to TA4922 relied on RomulusLoader to install legitimate Remote Monitoring and Management (RMM) tools, including AnyDesk and SyncFuture. At the end of March, the group targeted UK organizations with the SilentRunLoader Python‑based loader and stealer to exfiltrate credentials, cookies, and browsing information from Google Chrome. In April, SilentRunLoader was used in attacks against entities in Southeast Asia and the UK. According to Proofpoint, the cybercrime gang has also been observed using the ValleyRAT (Winos4.0) backdoor and other malware families in attacks. “TA4922 currently conducts more unique campaigns than any other tracked cybercrime threat actor in Proofpoint threat data, demonstrating high operational tempo, a variety of lures, and multiple objectives. While the actor is assessed to be financially motivated, the capabilities of the malware include the potential for surveillance which could be used by or sold to espionage groups,” Proofpoint notes. Related: Chinese APTs Expand Targets, Update Backdoors in Recent Campaigns Related: Palo Alto Zero-Day Exploited in Campaign Bearing Hallmarks of Chinese State Hacking Related: Alleged Chinese State Hacker Extradited to US Related: Chinese Hackers Caught Deep Within Telecom Backbone Infrastructure WRITTEN BY Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Organizations Warned of Exploited Linux Kernel Vulnerability ‘HTTP/2 Bomb’ Exploit Knocks Web Servers Offline in Seconds Critical Vulnerability in HP VoIP Phones Enables Enterprise Network Breaches Meta AI Hands Over High-Profile Instagram Accounts to Hackers Supply Chain Attack Hits 32 Red Hat NPM Packages Oracle’s First Monthly Patches Resolve 77 Vulnerabilities WP Maps Pro Vulnerability Exploited to Take Over WordPress Sites Dutch Police Dismantle Massive 17-Million-Device Botnet Latest News Over 1.4 Million Accounts Disrupted in Cybercrime Crackdown Cisco Warns of Available PoC for Critical Unified CM Vulnerability VS Code Vulnerability Allows One-Click GitHub Token Theft Coralogix Raises $200M at $1.6B Valuation to Scale AI Observability Platform Kirki, Burst Statistics WordPress Plugin Flaws in Attackers’ Crosshairs Security of 100 AI Agents Tested and Ranked – What You Need to Know Hackers Target Global Stock Exchange in Espionage Operation IMA Diligence Services Data Breach Impacts 525,000 People Trending Webinar: Third-Party Risk In Practice June 4, 2026 Organizations are investing heavily in third-party risk management, but breaches, delays, and blind spots continue to persist. Join this live webinar as we examine the gap between how organizations think their third-party risk programs are performing and what’s actually happening in practice. Register Virtual Roundtable: CISO Forum 2026 Mid-Year Review June 10, 2026 Explore how attackers are using AI to scale threats and how security teams can respond with AI-driven defenses. Protecting against unmonitored use of generative AI (Shadow AI) in business units and building and enforcing AI governance frameworks. Register People on the Move Jeff Lunglhofer becomes Chief Security Officer at Coinbase, replacing Philip Martin. Supriya Ahuja has been named Acting Deputy Chief Information Security Officer at DHS. Apiiro has appointed Wes Dobry as Field Chief Technology Officer. More People On The Move Expert Insights The Zero-Knowledge Threat Actor And The End Of Responsible Disclosure AI can help attackers generate malware, create malicious payloads, bypass simple security checks, and convert vague malicious intent into functional code. (Etay Maor) Raising The Cybersecurity Stakes: Ante Up For The Agentic Era CISOs are now facing machine-speed attacks and asking, “How do I agent?” The industry must provide remediation at scale. (Nadir Izrael) Caught Off Guard: Securing AI After It Hits Production As enterprises rush AI projects into production, security teams are increasingly being forced into reactive mode. (Joshua Goldfarb) Cyber Resilience Is The New Business Continuity Plan The organizations best prepared to face disruption are those that align security, continuity and risk management around what the business cannot afford to lose. (Steve Durbin) Enhancing Data Center Security Without Sacrificing Performance For AI data centers, where the stakes are the highest and performance constraints are the tightest, security and performance are no longer a zero-sum game. (Nadir Izrael) Flipboard Reddit Whatsapp Email
    💬 Team Notes
    Article Info
    Source
    Security Week
    Category
    ◇ Industry News & Leadership
    Published
    Jun 04, 2026
    Archived
    Jun 04, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗