CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 05, 2026

China's TA4922 Expands Cybercrime Attacks Globally

Dark Reading Archived Jun 05, 2026 ✓ Full text saved

One of the world's most diverse, least-focused cybercrime groups is enlarging its footprint beyond East Asia.

Full text archived locally
✦ AI Summary · Claude Sonnet


    THREAT INTELLIGENCE CYBERATTACKS & DATA BREACHES VULNERABILITIES & THREATS CYBER RISK NEWS China's TA4922 Expands Cybercrime Attacks Globally One of the world's most diverse, least-focused cybercrime groups is enlarging its footprint beyond East Asia. Nate Nelson,Contributing Writer June 4, 2026 4 Min Read SOURCE: FILO VIA GETTY IMAGES A Chinese cybercrime operation has expanded significantly, targeting far more countries with an even wider variety of tactics, techniques, and procedures (TTPs) than just about any other active threat group. TA4922 first showed up on Proofpoint's radar in the spring of 2025. For the first year of its observed operations, it was more focused and straightforward. It targeted Japanese organizations with tax-themed phishing emails, or impersonations of real employees. It sometimes tried to get targets to communicate outside of their normal work emails, and used ValleyRAT to gain remote access to their systems. In the past two months, though, its operational tempo increased dramatically. It's now targeting a wide variety of countries, using a significantly broader array of tactics and techniques than is typical of threat actors. In a blog post this week, Proofpoint called TA4922 "one of the most unique actors" it tracks. Related:China Uses Dual-Method Cyberattack on Czech Orgs TA4922's Global Phishing Campaigns Though a plurality of its activity still concentrates in Japan, TA4922 has also been targeting plenty of organizations around East Asia — Taiwan, South Korea, Singapore, Malaysia, Indonesia — and Europe, including the UK, Germany, and Italy. South Africa's also been caught up in the mix, thanks to the group's indiscrimination. That list might seem scattered, but TA4922 is diligent wherever it's operating in the world, always writing lure emails in languages and dialects designed to fit local norms. Those emails typically impersonate business and finance entities — finance departments, tax authorities, human resources teams — or targets' close colleagues, with classic, finance-oriented bait like taxes and invoicing. "TA4922 uses thousands of unique disposable sender addresses in their campaigns, often using Outlook, Hotmail, or Gmail. The addresses follow a pattern which suggests structured account generation through these platforms resulting in delivery success by avoiding reputation-based blocking," Proofpoint's researchers note. Oftentimes TA4922 will only use email for introductions, encouraging victims to communicate on less tightly monitored platforms like Microsoft Teams or WhatsApp. What happens after the initial point of contact can vary. Diverse Attack Chains Sometimes TA4922 sends malicious links to malware hosted on file sharing services, other times it attaches archive files. Sometimes the malware is packaged as a simple executable, other times the attack chain relies on dynamic link library (DLL) sideloading to get the bad stuff in. Sometimes there's no malware at all, and victims are instead directed to credential phishing pages. Related:Patch Now: Another Palo Alto Auth Bypass Bug Under Active Exploit If it is malware, it's anyone's guess which. TA4922 might use a remote access Trojan (RAT), like ValleyRAT or Atlas RAT, to access targeted systems, or legitimate remote monitoring and management (RMM) software, like AnyDesk. In the latter case, it'll use a loader called RomulusLoader to bring the RMM onto the host system. But it also uses a loader called SilentRunLoader, and SilentRunLoader itself doubles as a Google Chrome stealer. The Proofpoint researchers point out that across its various tools, "TA4922's delivery of payloads are often not immediately identifiable at the time of initial discovery. Their malicious payloads often require additional analysis from our malware analysts to confirm their malware families such as Atlas RAT and other variants in the broader ValleyRAT ecosystem. The consistent use of modified tooling suggests an intentional effort to complicate analysis and operate outside of normal malware classification." TA4922, Silver Fox Cross the Line There remain a couple of points of confusion around TA4922, about both its tactics and its identity. Atlas RAT was first described by Hexastrike researchers in March, when TA4922 was ramping up its malicious activity. However, it was attributed to Silver Fox, a Chinese state-associated threat actor, which threat researchers have suggested crosses the line between espionage and cybercrime. That a possibly Chinese Communist Party (CCP)-aligned actor would cross over into financially motivated crime was confusing enough in the first place; now researchers at Proofpoint have highlighted a variety of overlaps between Silver Fox and TA4922, not just in the malware they use, but also their infrastructure and social engineering techniques. All of this has created some nuisance in distinguishing these clusters of activity. Related:'The Com' Cyberattacks Support Violence & Sexploitation Then there's the question of why exactly TA4922 works the way it does. Presumably there's some logic to which attack types, lures, and specific combinations of malware it uses against any given victim. Proofpoint's researchers admit that "we haven't identified a pattern that predicts or is indicative of which malware family the actor will deploy in any given campaign." "TA4922 demonstrates that the 'jack of all trades' model can be effective when there is a single goal in mind," the research team concludes. "[It] allows them to adapt to organizational defenses, which makes them more resilient than groups who operate with a singular specialty." About the Author Nate Nelson Contributing Writer Nate Nelson is a journalist and award-winning scriptwriter. In addition to Dark Reading he writes for Darknet Diaries, the most popular show in cybersecurity across all media. He began his career as a freelancer, ghostwriting Forbes and CNBC op-eds for executives in tech and finance. Then he transitioned to journalism at Threatpost, where he covered cybersecurity news and trends. Throughout those years he co-created a cybersecurity podcast, Malicious Life, which in its day climbed into the Top 20 technology podcasts charts on Apple Podcasts and Spotify. He holds degrees from New York University and Bard College. As a born and bred New Yorker, he enjoys a superiority complex, but is polite enough to keep it to himself. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy Essential News & Insights from Black Hat USA 2025 How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Access More Research Webinars The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack Defending in the Shadow Era: When the CVE Feed Goes Dark Building SecOps That Make the Most of Every Dollar AI-Powered Credential Security: Intelligence Without Exposure More Webinars You May Also Like THREAT INTELLIGENCE Hackers Target Cybersecurity Firm Outpost24 in 7-Stage Phish by Jai Vijayan MAR 17, 2026 THREAT INTELLIGENCE Iran's Cyber-Kinetic War Doctrine Takes Shape by Alexander Culafi MAR 06, 2026 THREAT INTELLIGENCE React2Shell Exploits Flood the Internet as Attacks Continue by Rob Wright DEC 12, 2025 THREAT INTELLIGENCE Chinese Gov't Fronts Trick the West to Obtain Cyber Tech by Nate Nelson, Contributing Writer OCT 06, 2025 Editor's Choice CYBERSECURITY OPERATIONS 20 Leaders Who Built the CISO Era: 2 Decades of Change byDark Reading Editorial Team MAY 12, 2026 41 MIN READ APPLICATION SECURITY It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight byJai Vijayan MAY 12, 2026 5 MIN READ CYBERATTACKS & DATA BREACHES Instructure Breach Exposes Schools' Vendor Dependence byAlexander Culafi MAY 6, 2026 4 MIN READ Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed TUESDAY, JUNE 23, 2026 1:00 PM EDT Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack THURS, JUNE 25, 2026, AT 1PM EST Defending in the Shadow Era: When the CVE Feed Goes Dark TUES, JUNE 16, 2026 AT 1PM EST Building SecOps That Make the Most of Every Dollar THURS, JULY 9, 2026 AT 1PM EST AI-Powered Credential Security: Intelligence Without Exposure WED, JUNE 17, 2026, AT 1PM EST More Webinars BLACK HAT USA | MANDALAY BAY, LAS VEGAS The premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass. GET YOUR PASS
    💬 Team Notes
    Article Info
    Source
    Dark Reading
    Category
    ◇ Industry News & Leadership
    Published
    Jun 05, 2026
    Archived
    Jun 05, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗