A China-linked cybercrime syndicate tracked as TA4922 is actively expanding its phishing campaigns to target organizations across multiple regions. New research finds that the financially-motivated group, historically focused on East Asian networks, has now hit entities in Germany, Italy, South Africa, and the UK.
TA4922 is known to share overlapping tradecraft with the Silver Fox espionage group but primarily pursues financial objectives, including massive data theft, corporate fraud, and persistent network access and its resale.
In recent months, attackers breached enterprise perimeters by launching credential phishing campaigns using human resources, corporate taxation, and invoice-themed lures.[1]
During intrusions, TA4922 attempts to shift victim communications away from monitored email platforms onto out-of-band messaging channels like WhatsApp, LINE, and Microsoft Teams. The actor is also known to use DLL side-loading techniques to silently deploy remote access trojans like ValleyRAT and Atlas RAT, alongside tools such as RomulusLoader and SilentRunLoader.
Phishing lure impersonating UK government tax authority HMRC (Source: Proofpoint)
These advanced loaders drop secondary executables designed to harvest sensitive corporate data, specifically targeting Google Chrome to exfiltrate stored credentials, cookies, and browsing information.
Researchers warn that although TA4922 prioritizes illicit financial gain, its capabilities facilitate deep network surveillance, creating risks that stolen access could be sold directly to espionage groups.
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information (CTI) via a notification/Tier I analysis service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/rt/14363376183548501
[1] https://www.sentinelone.com/blog/the-good-the-bad-and-the-ugly-in-cybersecurity-week-23-7/
Comments