A previously Asia-focused cybercrime group has significantly expanded its geographic reach and technical capabilities, according to new research from Proofpoint. The threat actor, tracked as TA4922, now targets organizations across Europe and Africa after historically concentrating on Japan, Taiwan, Korea, Singapore and India. Recent campaigns have reached the United Kingdom, Germany, Italy and South Africa, with carefully localized lures impersonating tax authorities, finance departments and human resources teams in the target's native language.

The group operates with unusual variety, running more distinct campaigns than any other cybercrime actor currently tracked by Proofpoint. TA4922 mixes malware delivery, credential phishing and direct fraud such as credit card theft across different operations. The actor attempts to move victims from email to messaging platforms including LINE, WhatsApp and Microsoft Teams, allowing social engineering to continue beyond the reach of email security controls. All campaigns appear financially motivated, focused on gaining remote access for data theft, fraud and reselling network access to other criminals.

TA4922's technical arsenal has evolved rapidly in recent months. Proofpoint identified a newly discovered backdoor called Atlas RAT, deployed alongside two fresh loader families the researchers named RomulusLoader and SilentRunLoader. The group also continues using established malware such as ValleyRAT, also known as Winos 4.0. Payloads are typically installed through DLL sideloading techniques and staged from consumer file-sharing services. RomulusLoader has been observed dropping legitimate remote management tools like AnyDesk to blend malicious activity with normal software. Proofpoint assessed with high confidence that TA4922 uses large language models to accelerate Python malware development, citing evidence such as unchanged placeholder keys left in the code.

While Proofpoint links TA4922 to the same broad ecosystem as the Silver Fox and Void Arachne clusters, which other researchers have connected to espionage activities, the company assesses it as a distinct, crime-focused group. However, the surveillance capabilities built into its malware, including audio recording, webcam capture and keylogging, could potentially be sold to or exploited by espionage actors. This dual-use potential adds another layer of risk for targeted organizations beyond immediate financial loss.

Proofpoint recommends several defensive measures to reduce exposure to TA4922 and similar threats. Organizations should enforce application allowlisting to prevent unauthorized software execution, actively monitor programs running from temporary user directories where malware often stages, and limit local administrator rights to restrict what attackers can accomplish after initial compromise. The company emphasized that the global nature of this actor demonstrates how organizations must remain vigilant against emerging threats regardless of their geographic location, as these groups can quickly scale their tactics to include new targets.

Source: https://www.infosecurity-magazine.com/news/ta4922-global-expansion/