top of page

China-Linked TA4922 Hackers Deploy SilentRunLoader Malware Against UK and European Targets

  • Jun 3
  • 2 min read

Key Findings


  • TA4922, a suspected China-aligned cybercrime group, has expanded operations from East Asia to target organisations in the UK, Germany, Italy, and South Africa

  • The group uses locally-tailored phishing emails impersonating tax authorities, benefits services, and government agencies to increase open rates

  • SilentRunLoader, a new Python-based malware likely developed with LLM assistance, steals Chrome credentials, cookies, and browsing data

  • TA4922 employs a diverse toolkit including ValleyRAT, Atlas RAT, RomulusLoader, and legitimate remote management tools like AnyDesk

  • The group appears financially motivated, targeting data theft, credential harvesting, fraud, and persistent network access


Background


TA4922 has historically focused on organisations across East Asia, including Japan, Taiwan, Korea, Singapore, and India. Proofpoint researchers now assess that the group is deliberately testing a wider victim pool by launching campaigns against European and African targets. This geographic expansion represents a notable shift in the group's operational scope and suggests they are scaling up their activities beyond their traditional hunting grounds.


Targeting UK Organisations


The campaigns against UK organisations employ convincing social engineering tailored to local business processes. Phishing emails impersonate Her Majesty's Revenue and Customs with references to VAT filings and payroll tax documents. Other messages use benefits and compliance-themed language copied from government and universal benefits services. The specificity of these lures, grounded in routine administrative tasks that employees regularly handle, significantly increases the likelihood of recipients opening files or clicking links. The tax-themed campaigns have delivered malware through MediaFire links embedded in emails.


Expanded Malware Arsenal


TA4922's toolkit has grown to include multiple specialized malware variants. ValleyRAT and Winos4.0 provide remote access capabilities, while RomulusLoader functions as a payload delivery mechanism. Atlas RAT offers additional remote access options. SilentRunLoader represents the newest and most notable addition, designed specifically to harvest Chrome browser data including stored credentials, cookies, and browsing history before exfiltrating the information to attacker infrastructure.


AI-Assisted Malware Development


Proofpoint assessed with high confidence that TA4922's newer Python malware was developed with assistance from large language models. Evidence includes unchanged placeholder values, generic code comments, and suspicious strings throughout the malware. This reliance on AI tools suggests the group is prioritizing speed of development over operational security, potentially allowing defenders to identify and analyse new variants more quickly.


Operational Tradecraft


TA4922 employs several techniques to evade detection and establish persistence. DLL sideloading allows malicious files to execute when legitimate applications load them, making the activity appear as normal system operations during routine scans. The group also abuses legitimate remote management software such as AnyDesk and SyncFuture after initial compromise, allowing continued system control while maintaining lower detection profiles. This mixture of custom malware and legitimate tools creates a layered approach to both initial access and persistence.


Financial Motivation


Analysis indicates TA4922 operates as a financially motivated cybercrime group rather than a state-sponsored espionage outfit, despite some tool similarities with espionage campaigns. The group's activities target remote access, credential theft, fraud facilitation, access resale, and persistent network presence. This classification places TA4922 alongside a growing number of internationally active groups combining traditional malware, phishing, trusted services, and AI-assisted development into cohesive attack campaigns.


Sources


  • https://hackread.com/china-ta4922-hackers-uk-europe-silentrunloader-malware/

  • https://x.com/VivekIntel/status/2062174943639699651

  • https://www.socdefenders.ai/item/dac5c081-651a-4d3a-adc3-4813efc1020f

  • https://news.backbox.org/2026/06/03/china-linked-ta4922-hackers-target-uk-europe-with-new-silentrunloader-malware

Recent Posts

See All

Comments


  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page