TA4922: The Suspected Chinese Crime Group is Going Global
TA4922 is a sophisticated Chinese-speaking cybercrime group that has expanded its operations from East Asia to Europe and Africa. The group uses multiple malware families such as Atlas RAT, RomulusLoader, SilentRunLoader, and ValleyRAT, along with legitimate remote management tools like AnyDesk and SyncFuture. Their campaigns employ localized phishing lures themed around HR, payroll, tax, and invoicing to target large numbers of recipients. TA4922 conducts credential phishing, credit card fraud, and attempts to move communications to out-of-band channels like LINE, WhatsApp, and Microsoft Teams. They leverage legitimate cloud hosting and trusted software for delivery and persistence, focusing on financial gain through data theft, fraud, and resale of access. No known exploits in the wild or patches are applicable as this is an actor-based threat rather than a software vulnerability. The severity is assessed as medium based on the described impact and operational scope.
AI Analysis
Technical Summary
TA4922 is a financially motivated Chinese-speaking threat actor known for rapid operational tempo and evolving malware capabilities. Initially targeting East Asia, particularly Japan, the group has expanded globally to Europe and Africa. They deploy multiple malware families including Atlas RAT, RomulusLoader, SilentRunLoader, and ValleyRAT, alongside legitimate remote management tools such as AnyDesk and SyncFuture. Their campaigns use localized phishing lures themed around HR, payroll, tax, and invoicing, targeting hundreds to thousands of recipients per campaign. TA4922 conducts credential phishing, credit card theft, and attempts to shift communications to out-of-band channels like LINE, WhatsApp, and Microsoft Teams. The group leverages legitimate cloud hosting services and trusted software for delivery and persistence, combining advanced tradecraft with financially motivated objectives such as data theft, fraud, access resale, and persistent remote access.
Potential Impact
TA4922's operations result in credential theft, credit card fraud, unauthorized persistent access, and resale of compromised access. The group’s use of multiple malware families and legitimate remote management tools increases the complexity and persistence of their campaigns. Their global expansion increases the potential victim pool and financial impact. There are no known exploits in the wild related to software vulnerabilities, as this is an actor-based threat. The impact is primarily financial crime and data theft.
Mitigation Recommendations
No specific patches or fixes apply as this is a threat actor campaign rather than a software vulnerability. Organizations should focus on user awareness to recognize phishing lures themed around HR, payroll, tax, and invoicing. Monitoring for unauthorized use of remote management tools like AnyDesk and SyncFuture is advisable. Since the group attempts to move communications to out-of-band channels, monitoring and controlling such channels may help reduce risk. Follow vendor and threat intelligence updates for any changes in tactics or indicators of compromise. Patch status is not applicable; no vendor advisory or official fix exists for this actor-based threat.
Indicators of Compromise
- ip: 154.211.86.110
- hash: 2d2a251a88632f010fd9671789746908eeccaa5bc5c0a5d25e4649efe4f5b15d
- hash: 0ffb16209def5500ff4380d9e8093437
- hash: 3e7066e44132e64360a30974b6ea3671
- hash: 483a36fb9e4aef9704aa1e4edfb88c492dfe4140
- hash: 7b2c661cfb69e9c75df90d5102647bb014c28ad5
- hash: 0857148fb0bc4aa7adf967ede2307bdb4fc427065d5b6a6db132688a5a8e1eb8
- hash: 3119cf37b8267db8a2dcd11d9a83d5237d7ef1e42388e7c9afa2831b91da8a2d
- hash: 314f4b59535d1b783e1c20c2be00f9e30f8ed27b2e21fad06a73b47ea43279ef
- hash: 40b41979b317406f8abc601677a3b93aaf6ef8ab8ac188b8f383735e388f13b5
- hash: 4fcfa88fffacbce30bbe2136753c9ab5a4c092940d2406fd9d44d5118e745b9d
- hash: 584a9448dda46bd590d7a2f86228100d2ae6e0d6d990c1a4459ed5ee28e07ae8
- hash: 66a3836b9a17771bce2161f6b73cbc2494a91e49d6aa30d2d53711e8d10de60d
- hash: 8c9b6542f73c5c7fe455b52f5101314407da4f65ff48e7ebf6896605e607c8d0
- hash: 9d0a55c545c4147956db2c2667c4ed931a2875309147548b1dfdd216228f5f73
- hash: a648db354820ea4d02940cb1702b35974513b7aae83f6dffaacaac4ba31f9295
- hash: a75eab31d7ff06b6864960ad7e633be3f9730ff3d3873e4539c8f425fc632dad
- hash: de82998ad5fcd63deae030803388e0fb4290d6223fda82368fd25b99b823f0d2
- hash: e0a6a71c605d9a4076147e9537f82f79f1e1eccadc874595160aa4637ff4088c
- ip: 103.214.172.33
- ip: 112.121.183.202
- ip: 206.238.115.58
- url: https://nwphotoblog.com
- url: https://ws.ztts88.cyou/file/cg.exe
- url: https://ws.ztts88.cyou/upload.php
- domain: nwphotoblog.com
- domain: ws.ztts88.cyou
TA4922: The Suspected Chinese Crime Group is Going Global
Description
TA4922 is a sophisticated Chinese-speaking cybercrime group that has expanded its operations from East Asia to Europe and Africa. The group uses multiple malware families such as Atlas RAT, RomulusLoader, SilentRunLoader, and ValleyRAT, along with legitimate remote management tools like AnyDesk and SyncFuture. Their campaigns employ localized phishing lures themed around HR, payroll, tax, and invoicing to target large numbers of recipients. TA4922 conducts credential phishing, credit card fraud, and attempts to move communications to out-of-band channels like LINE, WhatsApp, and Microsoft Teams. They leverage legitimate cloud hosting and trusted software for delivery and persistence, focusing on financial gain through data theft, fraud, and resale of access. No known exploits in the wild or patches are applicable as this is an actor-based threat rather than a software vulnerability. The severity is assessed as medium based on the described impact and operational scope.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
TA4922 is a financially motivated Chinese-speaking threat actor known for rapid operational tempo and evolving malware capabilities. Initially targeting East Asia, particularly Japan, the group has expanded globally to Europe and Africa. They deploy multiple malware families including Atlas RAT, RomulusLoader, SilentRunLoader, and ValleyRAT, alongside legitimate remote management tools such as AnyDesk and SyncFuture. Their campaigns use localized phishing lures themed around HR, payroll, tax, and invoicing, targeting hundreds to thousands of recipients per campaign. TA4922 conducts credential phishing, credit card theft, and attempts to shift communications to out-of-band channels like LINE, WhatsApp, and Microsoft Teams. The group leverages legitimate cloud hosting services and trusted software for delivery and persistence, combining advanced tradecraft with financially motivated objectives such as data theft, fraud, access resale, and persistent remote access.
Potential Impact
TA4922's operations result in credential theft, credit card fraud, unauthorized persistent access, and resale of compromised access. The group’s use of multiple malware families and legitimate remote management tools increases the complexity and persistence of their campaigns. Their global expansion increases the potential victim pool and financial impact. There are no known exploits in the wild related to software vulnerabilities, as this is an actor-based threat. The impact is primarily financial crime and data theft.
Mitigation Recommendations
No specific patches or fixes apply as this is a threat actor campaign rather than a software vulnerability. Organizations should focus on user awareness to recognize phishing lures themed around HR, payroll, tax, and invoicing. Monitoring for unauthorized use of remote management tools like AnyDesk and SyncFuture is advisable. Since the group attempts to move communications to out-of-band channels, monitoring and controlling such channels may help reduce risk. Follow vendor and threat intelligence updates for any changes in tactics or indicators of compromise. Patch status is not applicable; no vendor advisory or official fix exists for this actor-based threat.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.proofpoint.com/us/blog/threat-insight/ta4922-suspected-chinese-crime-group-going-global"]
- Adversary
- TA4922
- Pulse Id
- 6a20244bdece9b50eee824aa
- Threat Score
- null
Indicators of Compromise
Ip
| Value | Description | Copy |
|---|---|---|
ip154.211.86.110 | — | |
ip103.214.172.33 | — | |
ip112.121.183.202 | — | |
ip206.238.115.58 | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash2d2a251a88632f010fd9671789746908eeccaa5bc5c0a5d25e4649efe4f5b15d | — | |
hash0ffb16209def5500ff4380d9e8093437 | — | |
hash3e7066e44132e64360a30974b6ea3671 | — | |
hash483a36fb9e4aef9704aa1e4edfb88c492dfe4140 | — | |
hash7b2c661cfb69e9c75df90d5102647bb014c28ad5 | — | |
hash0857148fb0bc4aa7adf967ede2307bdb4fc427065d5b6a6db132688a5a8e1eb8 | — | |
hash3119cf37b8267db8a2dcd11d9a83d5237d7ef1e42388e7c9afa2831b91da8a2d | — | |
hash314f4b59535d1b783e1c20c2be00f9e30f8ed27b2e21fad06a73b47ea43279ef | — | |
hash40b41979b317406f8abc601677a3b93aaf6ef8ab8ac188b8f383735e388f13b5 | — | |
hash4fcfa88fffacbce30bbe2136753c9ab5a4c092940d2406fd9d44d5118e745b9d | — | |
hash584a9448dda46bd590d7a2f86228100d2ae6e0d6d990c1a4459ed5ee28e07ae8 | — | |
hash66a3836b9a17771bce2161f6b73cbc2494a91e49d6aa30d2d53711e8d10de60d | — | |
hash8c9b6542f73c5c7fe455b52f5101314407da4f65ff48e7ebf6896605e607c8d0 | — | |
hash9d0a55c545c4147956db2c2667c4ed931a2875309147548b1dfdd216228f5f73 | — | |
hasha648db354820ea4d02940cb1702b35974513b7aae83f6dffaacaac4ba31f9295 | — | |
hasha75eab31d7ff06b6864960ad7e633be3f9730ff3d3873e4539c8f425fc632dad | — | |
hashde82998ad5fcd63deae030803388e0fb4290d6223fda82368fd25b99b823f0d2 | — | |
hashe0a6a71c605d9a4076147e9537f82f79f1e1eccadc874595160aa4637ff4088c | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://nwphotoblog.com | — | |
urlhttps://ws.ztts88.cyou/file/cg.exe | — | |
urlhttps://ws.ztts88.cyou/upload.php | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainnwphotoblog.com | — | |
domainws.ztts88.cyou | — |
Threat ID: 6a213860e29bf47b5081f48f
Added to database: 6/4/2026, 8:33:36 AM
Last enriched: 6/4/2026, 8:48:29 AM
Last updated: 6/4/2026, 11:25:05 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.