securityweek.com via Reddit

TA4922 Tops Proofpoint Campaign Count, Targets Europe

cybersecurity china ai cybercrime malware china

Key insights

  • Proofpoint reports TA4922 now runs more unique campaigns than any other tracked cybercrime threat actor, a record operational tempo.
  • TA4922 shifts victims from email to LINE, WhatsApp, and Microsoft Teams to bypass traditional email security controls.
  • The group has expanded from Japan, Taiwan, Korea, Singapore, and India to new targets in the UK, Germany, Italy, and South Africa.

Why this matters

Proofpoint's finding that a financially motivated cybercrime group now outpaces every other tracked actor in campaign volume signals a maturation in the criminal threat economy that security budgets at most organizations have not priced in. The group's expansion from Asia-Pacific to the UK, Germany, Italy, and South Africa means European organizations that had no prior exposure to TA4922 are now in active campaign scope. Security architectures built around email gateway controls are structurally blind to an actor that routes its most effective social engineering through Teams, WhatsApp, and LINE.

Summary

TA4922, a Chinese-speaking cybercrime group, now runs more unique campaigns than any other threat actor Proofpoint tracks, expanding its targeting from Asia-Pacific into Europe and South Africa. The group deploys Atlas RAT, RomulusLoader, SilentRunLoader, and ValleyRAT via HR and invoice lures, then shifts victims to LINE, WhatsApp, or Microsoft Teams to evade email controls. Essentially: (TA4922, Proofpoint) a financially motivated actor scaled from APAC to a multi-continent campaign machine. - Expanding beyond Japan, Taiwan, Korea, Singapore, and India to the UK, Germany, Italy, and South Africa. - Unlike espionage peers Silver Fox and Void Arachne, TA4922 targets credentials, card theft, and access resale. TA4922's cross-platform evasion compresses detection windows for defenders across multiple continents.

Potential risks and opportunities

Risks

  • Enterprises in the UK, Germany, Italy, and South Africa that lack cross-channel threat detection face immediate exposure as TA4922 has newly added those regions to its active campaign scope.
  • Microsoft Teams users face elevated risk from TA4922's platform-pivoting tactic, which moves the most active phase of social engineering outside the visibility of standard email security stacks.
  • Organizations using AnyDesk or SyncFuture for legitimate RMM operations risk TA4922 blending malicious remote access into normal IT management traffic, potentially delaying detection for weeks.

Opportunities

  • Messaging security vendors (Abnormal Security, SlashNext) gain direct justification for budget expansion as TA4922 empirically validates the cross-channel threat model beyond email.
  • MDR and managed SOC providers can position TA4922's activity as the forcing function for bundling Teams and WhatsApp monitoring into standard enterprise SOC coverage.
  • RMM security and PAM vendors (BeyondTrust, CyberArk) can use the AnyDesk-blending tactic to accelerate deals in newly targeted UK, German, and Italian enterprise markets.

What we don't know yet

  • No specific victim organizations, breach volumes, or financial losses from TA4922 campaigns were disclosed in Proofpoint's report.
  • Whether Microsoft, Meta, and LINE's operator Naver have been notified or are cooperating to detect and disrupt TA4922 activity on their platforms.
  • Attribution depth: whether TA4922 operates independently or under any state-adjacent tasking, a question left open despite the report noting similarities to espionage groups Silver Fox and Void Arachne.

Originally reported by securityweek.com

Read the original article →

Original headline: Proofpoint: Chinese Cybercrime Group TA4922 Now Runs More Unique Campaigns Than Any Other Tracked Threat Actor, Expands to Europe