Proofpoint Warns TA4922 Deploys Atlas RAT, RomulusLoader, SilentRunLoader, and ValleyRAT

A sophisticated cybercrime group known as TA4922 is raising alarms across the global security community.

The group has been deploying a growing arsenal of malware, including Atlas RAT, RomulusLoader, SilentRunLoader, and ValleyRAT, against organizations in Japan, the United Kingdom, Germany, and across Southeast Asia.

These campaigns are financially motivated and show a level of planning that sets TA4922 apart from typical criminal groups. The group’s reach is no longer regional. It is becoming a global threat.

What makes TA4922 especially dangerous is how it tricks its victims. The group sends carefully crafted emails disguised as messages from HR departments, tax authorities, and payroll teams.

These messages are written in the target’s local language and look convincing enough to fool cautious employees. Once a victim clicks a link or opens an attachment, the malware silently installs itself.

Analysts at Proofpoint identified and documented this activity in a detailed threat report shared with Cyber Security News (CSN). According to Proofpoint, TA4922 is a highly sophisticated actor with a rapidly evolving malware arsenal.

The group is assessed to be financially motivated, with goals including data theft, fraud, and persistent access to victim environments. Proofpoint notes that TA4922 currently conducts more unique campaigns than any other tracked cybercrime actor in their threat data.

The group first appeared on Proofpoint’s radar in spring 2025, initially focused on East Asia. By early 2026, TA4922 had dramatically expanded into Europe and South Africa.

The group mixes malicious activity with legitimate tools and trusted cloud hosting services, making their attacks harder to detect.

One of the more alarming aspects of TA4922’s behavior is how fast it builds new tools. Proofpoint assessed with high confidence that the group likely uses AI coding tools to rapidly develop new Python-based malware.

Unchanged placeholder values in SilentRunLoader’s code, such as the string “your_secret_key_here,” suggest code was generated with minimal review. This fast development cycle means defenders are constantly chasing new variants.

TA4922 Deploys Atlas RAT, RomulusLoader, SilentRunLoader, and ValleyRAT

TA4922 ran several notable campaigns between March and April 2026, each deploying different malware. In early March, the group sent HR-themed emails to organizations in Japan disguised as salary adjustment notices.

These carried ZIP files hosted on GoFile, and once opened, triggered DLL sideloading to deliver Atlas RAT, which connected to a command-and-control server at 206.238.115.58 over port 886.

A second Atlas RAT campaign in April targeted organizations in the UK and Germany using HR lures with filenames like “Paperwork.zip.” RomulusLoader appeared in late March, targeting Japanese organizations via LimeWire-hosted files.

In mid-April, TA4922 used RomulusLoader to push legitimate remote monitoring tools such as AnyDesk and SyncFuture, blending into normal network traffic.

SilentRunLoader was deployed against UK targets using fake tax authority emails, stealing Chrome credentials and sending them to an actor-controlled server.

Atlas RAT is a fully featured backdoor with capabilities including keylogging, screen capture, webcam recording, file management, and remote command execution.

It runs multiple anti-sandbox checks and communicates with its server using ChaCha encryption. ValleyRAT, built on the Winos4.0 framework, adds DDoS support and downloads additional modules on demand. Together, these tools give TA4922 deep and persistent access to compromised systems.

Organizations need to act now to reduce their exposure to this threat. Proofpoint recommends enforcing application allowlisting on trusted directories to prevent unapproved executables from running.

Teams should also monitor or prevent execution from temporary folders like %TEMP% and %APPDATA%, commonly abused by malware like RomulusLoader. Watching for executables written to root directories can help catch suspicious activity early.

Network defenders should flag traffic to unusual ports, particularly port 1234, used by RomulusLoader’s C2 infrastructure. Applying least-privilege principles across accounts limits how much damage an attacker can cause once inside a network.

Since TA4922 is known to move victims from email to messaging platforms like WhatsApp and Microsoft Teams, security teams should train employees to recognize and report this social engineering before it leads to a full compromise.

Indicators of Compromise (IoCs):-

Type	Indicator	Description
IP Address	206.238.115.58	Atlas RAT C2 (Campaign 1, March 2026)
IP Address	154.211.86.110	Atlas RAT C2 (Campaigns 2 and 3, April 2026)
IP Address	43.156.77.97	RomulusLoader C2 (March 2026)
IP Address	103.214.172.33	RomulusLoader First-stage C2 (April 2026)
IP Address	18.139.83.110	SilentRunLoader data exfiltration IP
Domain	ws[.]ztts88[.]cyou	SilentRunLoader C2 domain
URL	https://ws.ztts88[.]cyou/file/cg[.]exe	SilentRunLoader payload download URL
URL	https://ws.ztts88[.]cyou/upload[.]php	SilentRunLoader data exfiltration URL
URL	https://nwphotoblog[.]com	URL used in RomulusLoader/SyncFuture campaign
Domain	aeya388[.]club	ValleyRAT (Winos4.0) C2 domain
SHA256	a648db354820ea4d02940cb1702b35974513b7aae83f6dffaacaac4ba31f9295	ZIP archive delivering Atlas RAT (March 2026)
SHA256	584a9448dda46bd590d7a2f86228100d2ae6e0d6d990c1a4459ed5ee28e07ae8	Atlas RAT DLL (libcef.dll, March 2026)
SHA256	66a3836b9a17771bce2161f6b73cbc2494a91e49d6aa30d2d53711e8d10de60d	ZIP archive (Paperwork.zip) delivering Atlas RAT
SHA256	4fcfa88fffacbce30bbe2136753c9ab5a4c092940d2406fd9d44d5118e745b9d	ZIP archive (HR (2).zip) delivering Atlas RAT
SHA256	a75eab31d7ff06b6864960ad7e633be3f9730ff3d3873e4539c8f425fc632dad	Atlas RAT DLL (libcef.dll, April 2026)
SHA256	40b41979b317406f8abc601677a3b93aaf6ef8ab8ac188b8f383735e388f13b5	RAR archive delivering RomulusLoader
SHA256	8c9b6542f73c5c7fe455b52f5101314407da4f65ff48e7ebf6896605e607c8d0	RomulusLoader DLL (vulkan-1.dll)
SHA256	3119cf37b8267db8a2dcd11d9a83d5237d7ef1e42388e7c9afa2831b91da8a2d	RomulusLoader component (vulkan-1.bin)
SHA256	314f4b59535d1b783e1c20c2be00f9e30f8ed27b2e21fad06a73b47ea43279ef	RomulusLoader/SyncFuture ZIP archive
SHA256	2d2a251a88632f010fd9671789746908eeccaa5bc5c0a5d25e4649efe4f5b15d	RomulusLoader/SyncFuture executable
SHA256	0857148fb0bc4aa7adf967ede2307bdb4fc427065d5b6a6db132688a5a8e1eb8	RomulusLoader/SyncFuture DLL
SHA256	e0a6a71c605d9a4076147e9537f82f79f1e1eccadc874595160aa4637ff4088c	SilentRunLoader executable (March 2026)
SHA256	de82998ad5fcd63deae030803388e0fb4290d6223fda82368fd25b99b823f0d2	SilentRunLoader ZIP (April 2026)
SHA256	9d0a55c545c4147956db2c2667c4ed931a2875309147548b1dfdd216228f5f73	SilentRunLoader executable (April 2026)
File Name	vulkan-1.dll	RomulusLoader malicious DLL masquerading as Vulkan component
File Name	libcef.dll	Atlas RAT malicious DLL used in multiple campaigns
File Name	cg.exe	SilentRunLoader next-stage compiled Python payload

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.