China-Linked TA4922 Expands Phishing Attacks to U.K., Germany, Italy, and South Africa

A new China-linked cybercrime group known as TA4922 has expanded its targeting focus to target European organizations in the U.K., Germany, Italy, and South Africa. These efforts have been complemented by a "rapid operational tempo" and a continually evolving malware arsenal comprising known families like ValleyRAT (aka Winos 4.0) and Atlas RAT (aka AtlasCross RAT), as well as previously

According to Proofpoint reporting summarized in this article, the suspected China-aligned cybercrime group TA4922 has expanded from primarily East Asian targets to organizations in the U.K., Germany, Italy, and South Africa, using localized phishing lures around tax, payroll, HR, and compliance themes to deliver malware such as ValleyRAT (Winos 4.0), Atlas RAT, RomulusLoader, and SilentRunLoader.[3][6] These campaigns focus on credential theft, remote access, data exfiltration, and fraud, and Proofpoint assesses that some of the newer Python-based malware, including SilentRunLoader, was likely developed with the assistance of large language models to accelerate tooling and enhance information-stealing capabilities.[1][3] From a CyberSE.AI perspective, this illustrates malicious AI use where LLMs are leveraged to improve malware development and phishing content, raising the bar for detection and response and increasing the need for continuous red-teaming of email, messaging, and endpoint defenses against AI-assisted phishing and loaders. Organizations should treat TA4922-style campaigns as a model threat: regularly test and harden their controls via Continuous AI Red Teaming and use