Overview
- Proofpoint said Wednesday that TA4922 has sharply increased campaigns in Europe and South Africa after a long focus on East Asia, running more unique campaigns than any other cybercrime actor the vendor tracks.
- Researchers documented new tooling including Atlas RAT for remote control, RomulusLoader for process hollowing and loader activity, and SilentRunLoader, a Python stealer that targets Google Chrome credentials and cookies.
- Campaigns use highly localized lures that impersonate tax, payroll, HR and invoice communications and move victims from email to messaging apps such as WhatsApp, LINE and Microsoft Teams to continue social engineering.
- Operators abuse legitimate remote‑management software like AnyDesk and SyncFuture and use techniques such as DLL sideloading and process hollowing to evade detection and maintain persistent access.
- Proofpoint published indicators of compromise and advises testing detection across email, EDR and RMM controls, training staff on administrative‑themed lures, and watching for signs that stolen access or surveillance features could be sold to other groups.