TA4922: The Suspected Chinese Crime Group is Going Global
· Published 03/06/2026 14:55 · Modified 04/06/2026 08:40
Essential information
- Published
- 03/06/2026 14:55
- Modified
- 04/06/2026 08:40
- Source / Author
- AlienVault
- Confidence
- 100/100
- Report type(s)
- threat-report
- Labels / Tags
- atlas rat romulusloader silentrunloader ta4922 valleyrat
- Tags
- 2026-06-03 atlas rat romulusloader silentrunloader ta4922 valleyrat
- Related entities
- 23 indicators, 23 observables, 1 intrusion sets (apt), 23 techniques (mitre), 8 malware, 13 others
Description
TA4922 is a highly sophisticated Chinese-speaking threat actor demonstrating rapid operational tempo and continually evolving malware capabilities. Initially targeting East Asia, particularly Japan, the group has expanded globally to Europe and Africa. The actor deploys multiple malware families including Atlas RAT, RomulusLoader, SilentRunLoader, and ValleyRAT (Winos4.0), alongside legitimate remote management tools like AnyDesk and SyncFuture. Campaigns use localized lures themed around HR, payroll, tax, and invoicing, targeting hundreds to thousands of recipients per campaign. TA4922 conducts credential phishing, fraud operations including credit card theft, and attempts to shift communications to out-of-band channels like LINE, WhatsApp, and Microsoft Teams. The group leverages legitimate cloud hosting services and trusted software for delivery and persistence, combining advanced tradecraft with financially motivated objectives such as data theft, fraud, access resale, and persistent remote access.
Related entities
Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.
Indicators (23)
-
a648db354820ea4d02940cb1702b35974513b7aae83f6dffaacaac4ba31f9295 -
de82998ad5fcd63deae030803388e0fb4290d6223fda82368fd25b99b823f0d2 -
3119cf37b8267db8a2dcd11d9a83d5237d7ef1e42388e7c9afa2831b91da8a2d -
8c9b6542f73c5c7fe455b52f5101314407da4f65ff48e7ebf6896605e607c8d0 -
314f4b59535d1b783e1c20c2be00f9e30f8ed27b2e21fad06a73b47ea43279ef -
9d0a55c545c4147956db2c2667c4ed931a2875309147548b1dfdd216228f5f73 -
40b41979b317406f8abc601677a3b93aaf6ef8ab8ac188b8f383735e388f13b5 -
https://ws.ztts88.cyou/file/cg.exe -
584a9448dda46bd590d7a2f86228100d2ae6e0d6d990c1a4459ed5ee28e07ae8 -
e0a6a71c605d9a4076147e9537f82f79f1e1eccadc874595160aa4637ff4088c -
4fcfa88fffacbce30bbe2136753c9ab5a4c092940d2406fd9d44d5118e745b9d -
https://nwphotoblog.com -
nwphotoblog.com -
154.211.86.110 -
https://ws.ztts88.cyou/upload.php -
a75eab31d7ff06b6864960ad7e633be3f9730ff3d3873e4539c8f425fc632dad -
103.214.172.33 -
206.238.115.58 -
2d2a251a88632f010fd9671789746908eeccaa5bc5c0a5d25e4649efe4f5b15d -
ws.ztts88.cyou -
66a3836b9a17771bce2161f6b73cbc2494a91e49d6aa30d2d53711e8d10de60d -
112.121.183.202 -
0857148fb0bc4aa7adf967ede2307bdb4fc427065d5b6a6db132688a5a8e1eb8
Observables (23)
nwphotoblog.comws.ztts88.cyou103.214.172.33206.238.115.58112.121.183.202154.211.86.110https://ws.ztts88.cyou/file/cg.exehttps://ws.ztts88.cyou/upload.phphttps://nwphotoblog.coma648db354820ea4d02940cb1702b35974513b7aae83f6dffaacaac4ba31f9295de82998ad5fcd63deae030803388e0fb4290d6223fda82368fd25b99b823f0d23119cf37b8267db8a2dcd11d9a83d5237d7ef1e42388e7c9afa2831b91da8a2d8c9b6542f73c5c7fe455b52f5101314407da4f65ff48e7ebf6896605e607c8d0314f4b59535d1b783e1c20c2be00f9e30f8ed27b2e21fad06a73b47ea43279ef9d0a55c545c4147956db2c2667c4ed931a2875309147548b1dfdd216228f5f7340b41979b317406f8abc601677a3b93aaf6ef8ab8ac188b8f383735e388f13b5584a9448dda46bd590d7a2f86228100d2ae6e0d6d990c1a4459ed5ee28e07ae8e0a6a71c605d9a4076147e9537f82f79f1e1eccadc874595160aa4637ff4088c4fcfa88fffacbce30bbe2136753c9ab5a4c092940d2406fd9d44d5118e745b9da75eab31d7ff06b6864960ad7e633be3f9730ff3d3873e4539c8f425fc632dad2d2a251a88632f010fd9671789746908eeccaa5bc5c0a5d25e4649efe4f5b15d66a3836b9a17771bce2161f6b73cbc2494a91e49d6aa30d2d53711e8d10de60d0857148fb0bc4aa7adf967ede2307bdb4fc427065d5b6a6db132688a5a8e1eb8
Intrusion sets (APT) (1)
-
AlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 04/06/2026 10:38 · Modified 04/06/2026 10:38
Techniques (MITRE) (23)
-
Malicious Link
-
Dynamic-link Library Injection
-
Process Injection
-
Non-Standard Port
-
Process Hollowing
-
Keylogging
-
Phishing
-
Video Capture
-
Malicious File
-
Thread Execution Hijacking
-
Spearphishing Attachment
-
Data from Local System
-
Obfuscated Files or Information
-
Spearphishing via Service
-
Ingress Tool Transfer
-
Phishing for Information
-
Spearphishing Link
-
Automated Collection
-
Symmetric Cryptography
-
Deobfuscate/Decode Files or Information
-
Screen Capture
-
Exfiltration Over C2 Channel
Malware (8)
-
AlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 20/12/2025 20:01 · Modified 21/12/2025 18:48
-
FamilyPublished 03/06/2026 12:55 · Modified 03/06/2026 12:55
-
FamilyPublished 03/06/2026 12:55 · Modified 03/06/2026 12:55
-
FamilyPublished 08/06/2026 10:30 · Modified 08/06/2026 10:30
-
FamilyPublished 03/06/2026 12:55 · Modified 03/06/2026 12:55
-
FamilyPublished 03/06/2026 12:55 · Modified 03/06/2026 12:55
-
FamilyPublished 10/06/2026 11:58 · Modified 10/06/2026 11:58
-
FamilyPublished 03/06/2026 12:55 · Modified 03/06/2026 12:55
Others (13)
- Taiwan
- India
- British Indian Ocean Territory
- South Africa
- Japan
- United Kingdom of Great Britain and Northern Ireland
- Germany
- Malaysia
- Singapore
- Indonesia
- Italy
- nwphotoblog.com
- ws.ztts88.cyou