China-Linked TA4922 Hackers Deploy SilentRunLoader Malware Against UK and European Targets
- Jun 3
- 2 min read
Key Findings
TA4922, a suspected China-aligned cybercrime group, has expanded operations from East Asia to target organisations in the UK, Germany, Italy, and South Africa
The group uses locally-tailored phishing emails impersonating tax authorities, benefits services, and government agencies to increase open rates
SilentRunLoader, a new Python-based malware likely developed with LLM assistance, steals Chrome credentials, cookies, and browsing data
TA4922 employs a diverse toolkit including ValleyRAT, Atlas RAT, RomulusLoader, and legitimate remote management tools like AnyDesk
The group appears financially motivated, targeting data theft, credential harvesting, fraud, and persistent network access
Background
TA4922 has historically focused on organisations across East Asia, including Japan, Taiwan, Korea, Singapore, and India. Proofpoint researchers now assess that the group is deliberately testing a wider victim pool by launching campaigns against European and African targets. This geographic expansion represents a notable shift in the group's operational scope and suggests they are scaling up their activities beyond their traditional hunting grounds.
Targeting UK Organisations
The campaigns against UK organisations employ convincing social engineering tailored to local business processes. Phishing emails impersonate Her Majesty's Revenue and Customs with references to VAT filings and payroll tax documents. Other messages use benefits and compliance-themed language copied from government and universal benefits services. The specificity of these lures, grounded in routine administrative tasks that employees regularly handle, significantly increases the likelihood of recipients opening files or clicking links. The tax-themed campaigns have delivered malware through MediaFire links embedded in emails.
Expanded Malware Arsenal
TA4922's toolkit has grown to include multiple specialized malware variants. ValleyRAT and Winos4.0 provide remote access capabilities, while RomulusLoader functions as a payload delivery mechanism. Atlas RAT offers additional remote access options. SilentRunLoader represents the newest and most notable addition, designed specifically to harvest Chrome browser data including stored credentials, cookies, and browsing history before exfiltrating the information to attacker infrastructure.
AI-Assisted Malware Development
Proofpoint assessed with high confidence that TA4922's newer Python malware was developed with assistance from large language models. Evidence includes unchanged placeholder values, generic code comments, and suspicious strings throughout the malware. This reliance on AI tools suggests the group is prioritizing speed of development over operational security, potentially allowing defenders to identify and analyse new variants more quickly.
Operational Tradecraft
TA4922 employs several techniques to evade detection and establish persistence. DLL sideloading allows malicious files to execute when legitimate applications load them, making the activity appear as normal system operations during routine scans. The group also abuses legitimate remote management software such as AnyDesk and SyncFuture after initial compromise, allowing continued system control while maintaining lower detection profiles. This mixture of custom malware and legitimate tools creates a layered approach to both initial access and persistence.
Financial Motivation
Analysis indicates TA4922 operates as a financially motivated cybercrime group rather than a state-sponsored espionage outfit, despite some tool similarities with espionage campaigns. The group's activities target remote access, credential theft, fraud facilitation, access resale, and persistent network presence. This classification places TA4922 alongside a growing number of internationally active groups combining traditional malware, phishing, trusted services, and AI-assisted development into cohesive attack campaigns.
Sources
https://hackread.com/china-ta4922-hackers-uk-europe-silentrunloader-malware/
https://x.com/VivekIntel/status/2062174943639699651
https://www.socdefenders.ai/item/dac5c081-651a-4d3a-adc3-4813efc1020f
https://news.backbox.org/2026/06/03/china-linked-ta4922-hackers-target-uk-europe-with-new-silentrunloader-malware

Comments