A Chinese-speaking cybercrime group tracked as TA4922 has been escalating activities and expanding to new geographies, Proofpoint reports.
Relying on social engineering, the hacking group has been continually updating its arsenal, distributing multiple malware families and also engaging in credential phishing and fraud schemes such as credit card theft.
While some of TA4922’s activities overlap with those of the threat actors tracked as Silver Fox and Void Arachne, the group does not appear to engage in espionage, unlike those clusters.
“The campaigns attributed to TA4922 align more closely with cybercriminal objectives despite the actor’s advanced tradecraft,” Proofpoint says.
The cybersecurity firm has been tracking TA4922 malicious email campaigns for over a year and believes that its focus is to obtain remote access to victim organizations for data theft, access resale, fraud, and other financially motivated activities.
Using HR, payroll tax, and invoicing themes, the hacking group attempts to lure victims into clicking on malicious links to download malicious payloads or unwittingly share their credentials.
Historically, the cybercrime gang has sent hundreds to a few thousand messages per campaign, tailored to specific regions or business functions, targeting organizations in Japan, Taiwan, Korea, Singapore, and India.
Recently, the group also started targeting European organizations in the UK, Germany, and Italy, as well as entities in South Africa.
TA4922 was also seen launching credential-phishing and imposter campaigns, looking to shift communication from email to out-of-band channels, including messaging platforms such as LINE, WhatsApp, or Microsoft Teams.
“Once communication moves to those platforms, the actor is better positioned to extend social engineering, harvest contact information, or deliver malware beyond traditional email security visibility,” Proofpoint says.
In March, the threat actor used HR lures in campaigns targeting organizations in Japan with the Atlas RAT backdoor and the RomulusLoader malware loader.
In April, the group used HR lures and previous infrastructure in Atlas RAT attacks against organizations in the UK and Germany, but switched to customer service communications lures in another campaign.
Multiple April campaigns attributed to TA4922 relied on RomulusLoader to install legitimate Remote Monitoring and Management (RMM) tools, including AnyDesk and SyncFuture.
At the end of March, the group targeted UK organizations with the SilentRunLoader Python‑based loader and stealer to exfiltrate credentials, cookies, and browsing information from Google Chrome. In April, SilentRunLoader was used in attacks against entities in Southeast Asia and the UK.
According to Proofpoint, the cybercrime gang has also been observed using the ValleyRAT (Winos4.0) backdoor and other malware families in attacks.
“TA4922 currently conducts more unique campaigns than any other tracked cybercrime threat actor in Proofpoint threat data, demonstrating high operational tempo, a variety of lures, and multiple objectives. While the actor is assessed to be financially motivated, the capabilities of the malware include the potential for surveillance which could be used by or sold to espionage groups,” Proofpoint notes.
Related: Chinese APTs Expand Targets, Update Backdoors in Recent Campaigns
Related: Palo Alto Zero-Day Exploited in Campaign Bearing Hallmarks of Chinese State Hacking
Related: Alleged Chinese State Hacker Extradited to US
Related: Chinese Hackers Caught Deep Within Telecom Backbone Infrastructure
