Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Jun 04, 2026 · 5 min read

Atlas RAT: Chinese Group TA4922 Phishes Europe via WhatsApp

Proofpoint published a new report on June 3, 2026 attributing a wave of European intrusions to TA4922 — the Chinese speaking cybercrime group previously tracked as Silver Fox and Void Arachne. The new toolkit, dubbed Atlas RAT, lands through WhatsApp, LINE, and Microsoft Teams lures impersonating tax audits, payroll notices, and VAT filings.

For years TA4922 sat almost entirely inside East Asia. Since March 2026, Proofpoint says the group has been hitting Germany, Italy, the United Kingdom, and South Africa with localized lures in each victim's own language — written well enough that targets are clicking through to a kill chain that ends in full remote access, keylogging, and Chrome credential theft.

A smartphone on a dark wooden desk showing an incoming chat message notification, surrounded by office stationery, indigo and deep blue tones

Key Takeaways

  • Proofpoint attributed Atlas RAT to TA4922, the Chinese speaking actor previously tracked as Silver Fox and Void Arachne, in a report published June 3, 2026.
  • The campaign expands the group's targeting from East Asia into Germany, Italy, the United Kingdom, and South Africa.
  • Initial contact arrives through WhatsApp, LINE, and Microsoft Teams chats — not email — using lures themed around payroll notices, tax audits, VAT filings, and HR communications.
  • Atlas RAT supports file theft, keylogging, screenshot capture, webcam and microphone recording, plugin loading, and remote shutdown — alongside anti sandbox evasion to thwart automated analysis.
  • Related tooling includes RomulusLoader (which deploys AnyDesk and SyncFuture for remote access) and SilentRunLoader (which steals Chrome credentials, cookies, and browsing data).

Who Is TA4922?

TA4922 is the Proofpoint tracking name for a Chinese speaking cybercrime cluster that other vendors track as Silver Fox and Void Arachne. Their historical pattern was financially motivated intrusions inside East Asia — Taiwan, Hong Kong, Vietnam — using Winos4.0, also known as ValleyRAT, against Chinese language speakers. The European expansion that Proofpoint documents is a real shift, not a one off lure translated into German.

Activity increased sharply in March 2026 and Proofpoint describes "unprecedented operational diversity" since April. That phrase usually means the group rotated infrastructure, rewrote loaders, and reorganized lure themes faster than incident responders could keep up. The result is a single threat actor running a small portfolio of malware families in parallel.

How Does the Attack Reach Victims?

The interesting part is the delivery channel. TA4922 is not blasting phishing email at corporate filters. They are messaging targets directly on WhatsApp, LINE, and Microsoft Teams — chat platforms with weaker URL inspection than enterprise email gateways and stronger psychological cues that the sender is a real person.

The lures pretend to be specific business administrative tasks: a payroll discrepancy, a tax audit invitation, a VAT filing reminder, an HR question. Each is localized in language and reference points. A German speaker gets a German tax authority reference. An Italian speaker gets an Agenzia delle Entrate reference. A UK speaker gets HMRC. That localization is what separates a generic mass phish from a targeted campaign — and TA4922 is doing it at scale.

What Does Atlas RAT Actually Do?

Once installed, Atlas RAT is a full surveillance toolkit. Its capabilities, per Proofpoint, include:

  • System reconnaissance and file enumeration across mounted drives.
  • Keylogging of every keystroke entered while the device is active.
  • Periodic screenshot capture and on demand screen recording.
  • Audio and webcam recording without visible camera indicator activation in some configurations.
  • Plugin and secondary payload loading from operator infrastructure.
  • System shutdown commands — useful as a destructive last step or as cover for an exfiltration window.

It also includes anti sandbox and anti analysis routines that detect virtual machines, debugger presence, and known security product processes — refusing to detonate when it sees any of them. Two companion loaders multiply the threat. RomulusLoader installs legitimate remote management tools (AnyDesk, SyncFuture) so hands on operators can drive the box manually. SilentRunLoader does the credential harvesting — pulling Chrome saved passwords, cookies, and browsing history straight off disk.

Why Email Is the Real Endgame

SilentRunLoader is the part that lands this back in inbox security territory. Stolen Chrome cookies for a webmail session mean the attacker is logged into the victim's email without ever needing the password or a 2FA prompt. Stolen Chrome saved passwords include the long tail of services the victim has signed up for, including the ones tied back to their primary email as the recovery channel.

For comparable Chinese APT activity using legitimate cloud services as command channels, see our coverage of the Chinese GridTide operation hiding C2 inside Google Sheets and the Showboat Calypso Linux backdoor inside a Middle East telecom.

Proofpoint's full report includes command and control indicators of compromise that defenders can plug into EDR and proxy filters today. The harder question is what to do about the chat channel — because no amount of email gateway tuning catches a malicious WhatsApp message that never crosses Microsoft 365 or Gmail.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.