A Chinese-speaking cybercrime group has expanded its operations into Europe, deploying a previously undocumented malware loader alongside the Atlas remote access trojan (RAT) in campaigns targeting organizations across multiple countries, according to security researchers.
The activity has been attributed to a threat actor tracked as TA4922, a financially motivated group known for conducting intrusions aimed at fraud, data theft, and the sale of network access. Researchers say the group has historically focused on targets in Asia but has recently shifted part of its attention toward Europe.
According to researchers at ThreatLocker, TA4922 has been targeting organizations in Germany, Italy, the United Kingdom, and other regions through phishing campaigns that deliver malware disguised as legitimate files. Once executed, the malware establishes a foothold on the victim’s system and downloads additional payloads, including the Atlas RAT backdoor.
Atlas RAT provides attackers with extensive control over infected devices. The malware can execute commands, manage files, gather system information, and maintain persistent access to compromised systems. Such capabilities allow threat actors to conduct reconnaissance, steal sensitive data, and potentially deploy additional malware after the initial compromise.
Researchers also identified a previously undocumented malware component used in the attacks. The new loader is designed to evade detection while delivering Atlas RAT and other malicious payloads. By separating the infection process into multiple stages, attackers can make analysis more difficult and reduce the likelihood of security products detecting the full attack chain.
Threat intelligence analysts noted that TA4922 operates at a high tempo, launching numerous campaigns and frequently modifying its tooling. The group’s infrastructure and malware arsenal have evolved over time, allowing it to target a broad range of organizations while adapting to security controls and detection efforts.
The expansion into Europe reflects a wider trend in which cybercriminal groups increasingly operate across geographic boundaries rather than focusing on a single region. Researchers believe TA4922’s recent campaigns are financially motivated rather than linked to traditional state-sponsored cyber espionage operations.
Site Disclaimer
2-remove-virus.com is not sponsored, owned, affiliated, or linked to malware developers or distributors that are referenced in this article. The article does not promote or endorse any type of malware. We aim at providing useful information that will help computer users to detect and eliminate the unwanted malicious programs from their computers. This can be done manually by following the instructions presented in the article or automatically by implementing the suggested anti-malware tools.
The article is only meant to be used for educational purposes. If you follow the instructions given in the article, you agree to be contracted by the disclaimer. We do not guarantee that the artcile will present you with a solution that removes the malign threats completely. Malware changes constantly, which is why, in some cases, it may be difficult to clean the computer fully by using only the manual removal instructions.