TA4922, a Chinese‑speaking cybercrime group, has broadened its activity beyond East Asia and is now launching attacks against organisations in Europe, Asia and Africa. The group uses social engineering to lure victims into conversations on messaging apps such as LINE or WhatsApp, where it delivers custom loaders and remote access tools. This shift signals a broader financial‑motivated threat that could affect supply chains and corporate data worldwide.
TA4922 uses RomulusLoader to pose as a legitimate program and drop further malware, while SilentRunLoader operates in the background to pull saved passwords and cookie data from browsers; the group also relies on Atlas RAT, a backdoor that gives operators full remote control for surveillance and data theft. Researchers note that the group has altered the Winos4.0 framework by inserting large amounts of junk code to hinder signature‑based detection according to recent analysis.
The attackers typically start with spear‑phishing emails that mimic finance or HR communications, prompting victims to continue the conversation on platforms such as LINE or WhatsApp where monitoring is lighter. Once trust is established, they send malicious links or files that install the loaders described above, and they have begun using AI‑assisted tools to develop new variants quickly. In addition to espionage‑style data gathering, TA4922 focuses on credit card theft and fraudulent transactions, monetising access through underground markets.
Proofpoint first observed the group’s expanded activity in early June 2026 according to Dark Reading, with incidents reported in Taiwan, South Korea, several European nations and South Africa. Although the operation shows clear financial motives, there is no indication that TA4922 is engaged in state‑sponsored espionage. The campaign’s pace has increased over the past year, reflecting a deliberate shift to a global footprint.
Security analysts warn that the group’s use of trusted messaging apps and code‑obfuscation techniques complicates traditional email gateway and antivirus controls. Its ability to switch bait themes and recycle infrastructure means that static indicators of compromise are quickly outdated. Consequently, organisations must rely on behaviour‑based monitoring and strict application controls to stay ahead of the threat as advised by InfoSec Magazine.
Enterprises should enforce application allowlisting so that only approved executables can run, thereby blocking loaders like RomulusLoader and SilentRunLoader from launching. Network teams ought to monitor for unusual traffic to messaging platforms and inspect file transfers for malicious payloads. User awareness programmes need to stress the danger of moving conversations to unofficial chat apps and encourage reporting of suspicious messages.
Finally, endpoint solutions should be kept current and complemented with behavioural analytics that can detect anomalous browser data access or unexpected outbound connections.