TA4922: When cybercriminals use AI to accelerate attacks

4 hours ago
3 min read

No longer confined to small-scale operations, this cybercrime group is deploying a widespread attack campaign, utilizing a continuously evolving malware arsenal to target organizations in Japan, Germany, the United Kingdom, and across Southeast Asia. Driven by clear financial motives, TA4922 demonstrates a highly sophisticated strategy, making them a dangerous threat on the global cybersecurity landscape.

*Driven by clear financial motives, TA4922 demonstrates a highly sophisticated strategy, making them a dangerous threat on the global cybersecurity landscape.*

Sophisticated phishing barriers and the expansion journey of TA4922

According to a detailed report from analysts at the cybersecurity firm Proofpoint, the alarming aspect of TA4922 lies in its highly clever approach to victims. This criminal group frequently sends meticulously designed phishing emails masquerading as notifications from human resources, payroll departments, or tax authorities.

To increase the success rate, these messages are written entirely in the target's local language, causing even the most cautious employees to easily fall into the trap. With just a single click on a hidden link or by opening an attachment, malware is immediately and silently installed onto the system.

First appearing in tracking systems in the spring of 2025 with initial targets in East Asia, TA4922 quickly expanded its operational territory. By early 2026, the group's influence had spread to Europe and South Africa. To conceal their actions, the group cleverly combines malware with familiar cloud storage services and legitimate tools, making it highly difficult for defense systems to detect traces of intrusion.

Last week in cybersecurity: Crises at Microsoft, Palo Alto & ChatGPT

Diverse malware arsenal supported by AI

Proofpoint highly notes TA4922's ability to build new tools at an incredible speed. Experts believe the group has likely applied Artificial Intelligence (AI) to accelerate the process of writing Python-based malware. Evidence of this is found in the source code of the SilentRunLoader tool, where default placeholder strings that have not yet been changed, such as your_secret_key_here, were discovered, indicating an extremely rapid malware production process.

In just a short period from March to April 2026, this group continuously shifted its weapons through specific campaigns:

Atlas RAT (Remote control spyware): In early March 2026, the group spoofed salary adjustment notifications sent to organizations in Japan via compressed ZIP files on the GoFile platform. Upon opening, malware injection techniques activate Atlas RAT, connecting directly to the command and control server. By April, this campaign expanded to the UK and Germany in the form of HR documents named Paperwork.zip. This is a dangerous type of malware capable of logging keystrokes, capturing screenshots, turning on webcams, and automatically bypassing virtual testing barriers (sandbox).
RomulusLoader: Appeared in late March in Japan through the LimeWire storage platform. By mid-April, this tool was used to plant legitimate remote management software such as AnyDesk or SyncFuture to blend into normal network traffic to evade detection.
SilentRunLoader: Deployed in the United Kingdom via spoofed tax authority emails, specializing in stealing Chrome browser login credentials and sending them back to hackers.
ValleyRAT: Runs on the Winos4.0 framework, capable of supporting Denial of Service (DDoS) attacks and downloading additional malicious components depending on the attacker's intent.

In just a short period from March to April 2026, AT4922 continuously shifted its weapons through specific attack campaigns.

Indicators of Compromise (IOCs)

To help system administrators and cybersecurity departments proactively scan and prevent threats, below are the technical parameters related to TA4922's campaign (the dots in IP addresses and domains have been obfuscated for safety):

Command and Control (C2) server IP address: 206.238.115[.]58
Network connection ports (Ports): Port 886 (for Atlas RAT) and port 1234 (for RomulusLoader).
Abused storage platforms: GoFile, LimeWire.
Malware types: Atlas RAT, RomulusLoader, SilentRunLoader, ValleyRAT.
Exploited legitimate software: AnyDesk, SyncFuture.
Main attack methods: Email fraud (Email phishing), DLL Sideloading technique.

Proactive defense strategies for organizations and enterprises

In the face of TA4922's sophistication, organizations and enterprises are recommended to immediately implement strict protective measures:

Tightening endpoint security: Apply policies that only allow trusted applications to run (allowlisting). It is necessary to closely monitor or completely block software execution privileges from temporary directories such as %TEMP% and %APPDATA% - where malware like RomulusLoader typically hides.
Controlling network traffic: Establish alert systems for traffic passing through unusual ports, especially port 1234. At the same time, apply the principle of least privilege (least-privilege) to minimize damage if an account happens to be compromised.
Cybersecurity training: TA4922 tends to redirect victims from emails to online chat platforms such as WhatsApp or Microsoft Teams. Therefore, training employees to recognize psychological manipulation tactics (social engineering) is a core link to halt the attack right from the initial step.

The emergence of the TA4922 cybercrime group alongside its high-tech arsenal serves as a stark reminder for enterprises in the digital era. The fact that adversaries are applying AI to optimize attack speed dictates that organizations cannot afford to be complacent. Proactivity in technical defense combined with heightened individual vigilance is the golden key to safeguarding information security against these dangerous underlying waves.

Reference: adsecvn.com