top of page
perceptive_background_267k.jpg

Chinese hackers use new Atlas RAT malware in European cyberattacks

Published:

3 juni 2026 om 21:45:27

Alert date:

3 juni 2026 om 22:00:35

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Ransomware & Malware, Data Breach & Exfiltration, Email & Messaging

A Chinese-speaking cybercrime group has expanded operations to target European organizations using previously undocumented malware including the Atlas backdoor. The campaign represents a significant escalation in the group's geographic scope and capabilities. The Atlas RAT appears to be a new variant of remote access trojan specifically developed for these European targeting operations. This represents an active threat to European organizations from sophisticated Chinese threat actors. The use of new, undocumented malware suggests continued evolution of the group's tactics and tools.

Technical details

TA4922, a Chinese-speaking cybercrime group, has deployed previously undocumented Atlas RAT malware and expanded targeting from East Asia to European countries including Germany, Italy, United Kingdom, and South Africa. The Atlas RAT provides system reconnaissance, file theft, plugin downloads, keylogging, screenshot capturing, audio/webcam recording, and system shutdown capabilities. The malware includes anti-sandbox checks for Microsoft Defender Application Guard, CExecSvc service, and OS UUID. Additional tools include RomulusLoader (uses process hollowing and shellcode injection), SilentRunLoader (Python-based Chrome credential stealer), and Winos4.0/ValleyRAT. Attacks use localized phishing lures mimicking payroll notices, tax audits, VAT filings, government notices, and HR communications via WhatsApp, LINE messenger, and Microsoft Teams. Evidence suggests possible use of LLMs for malware development based on placeholder values and code patterns.

Mitigation steps:

Monitor for indicators of compromise provided in Proofpoint's report for malware and command-and-control infrastructure used in TA4922 attacks. Be vigilant for localized phishing emails impersonating government services, payroll notices, tax documents, and HR communications. Watch for suspicious WhatsApp, LINE, and Microsoft Teams contact attempts.

Affected products:

Google Chrome
AnyDesk
SyncFuture
Microsoft Teams
WhatsApp
LINE messenger

Related links:

https://www.bleepingcomputer.com/news/security/hackers-increasingly-use-winos40-post-exploitation-kit-in-attacks/
https://www.proofpoint.com/us/blog/threat-insight/ta4922-suspected-chinese-crime-group-going-global

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page