European companies have been living for years with a reality that is difficult to ignore: many digital threats are not born here, but they can also end up reaching their systems, their emails and their internal documents. Sometimes they do it loudly, other times with disguised messages. In this case, what we have seen is precisely that jump. Proofpoint claims that a Chinese-speaking cybercriminal actor initially observed primarily targeting Asian organizations has expanded its campaigns to the United Kingdom, Germany and Italy with an increasingly broad set of tools.
Identifying the problem. Proofpoint identifies to the actor as TA4922 and links it to the Chinese-speaking cybercriminal ecosystem through several indications: metadata in Chinese within malware samples, frequent use of infrastructure associated with Chinese providers and overlaps with campaigns such as Silver Fox either Void Arachne. Even so, the company separates this group from those labels and analyzes it as its own threat, probably motivated by money.
Europe enters the map. Specialists began observing campaigns associated with TA4922 in spring 2025, but the change in scale came later. The group’s activity increased notably in March 2026 and maintained a high pace in April, with unprecedented operational diversity in its data on this actor. During this period, campaigns appeared aimed at organizations in the United Kingdom, Germany and Italy, as well as South Africa, already within a more global expansion, a sign that the group is no longer limited to its most common objectives in Asia.
The hook is in the everyday. The gateway is not always a spectacular vulnerability, but rather a message well adapted to the context of the recipient. Proofpoint describes localized honeypots that imitate human resources communications, payroll notices, tax audits, VAT returns, invoices or regulatory compliance requirements. In some cases, the attempt does not remain in the email: the actor also tries to move the conversation to WhatsApp, LINE either Microsoft Teamschannels where you can extend social engineering away from the usual visibility of corporate email.
The toolbox grows. Proofpoint notes that TA4922 has notably expanded its arsenal in recent months, something that fits with the increase in activity seen in March and April 2026. The report mentions several pieces: Atlas RAT, a remote access backdoor recently identified by researchers; RomulusLoader, a loader designed to download and execute new loads; SilentRunLoader, aimed at stealing data from Chrome, and ValleyRAT/Winos4.0, an already documented family.
Atlas RAT. This malware can collect system information, list and upload files to the command and control server, load additional plugins or modules, and execute new payloads. It also incorporates surveillance functions, such as keylogger, screenshots, clipboard access and audio or video recording via microphone and webcam. Proofpoint maintains the nuance: it evaluates the actor as financially motivated, but warns that these capabilities could be used or sold to espionage groups.
Legitimate tools, malicious use. Part of the problem is that TA4922 does not rely solely on recognizable malware. Proofpoint describes the use of RomulusLoader to install remote administration software such as AnyDesk and SyncFuture, tools that may have legitimate uses within an organization, but in this context serve to extend control over the affected environment. SilentRunLoader completes the picture from another angle: it searches for sensitive Chrome data, including credentials, cookies, and history. Additionally, Proofpoint believes with high confidence that the group is likely using LLM to accelerate the development of new Python-based malware.
The warning for Europe. Proofpoint describes an actor capable of moving fast, tailoring messages to the country, and combining malicious payloads with legitimate services, cloud hosting, and remote administration tools. That forces you to look beyond the obvious suspicious email. The company’s recommendations are along these lines: control what is executed and from where, monitor anomalous connections, reduce local privileges and limit the software allowed. The threat is not presented as confirmed espionage, but as a very real business risk.
Images | DC Studio
GIPHY App Key not set. Please check settings