Chinese Threat Group TA4922 Deploys New Atlas RAT Malware in European Attacks
What Happened – A Chinese‑speaking cybercrime group (TA4922) has begun targeting European organizations with a previously undocumented remote‑access trojan called Atlas RAT, delivered via a new loader (RomulusLoader). The campaign uses localized phishing lures (payroll notices, tax audits, etc.) and leverages legitimate remote‑management tools such as AnyDesk.
Why It Matters for TPRM –
- The malware’s capabilities (keylogging, webcam capture, data exfiltration) can expose sensitive corporate data and intellectual property.
- Attackers are using AI‑generated code, accelerating development cycles and making detection harder.
- The group’s high operational tempo and use of legitimate tools increase the risk of supply‑chain compromise for third‑party service providers.
Who Is Affected – Enterprises in Europe across finance, technology, and professional services that rely on remote‑access solutions or handle payroll/tax data.
Recommended Actions –
- Review contracts with remote‑access tool vendors (AnyDesk, SyncFuture) for security clauses.
- Enforce multi‑factor authentication and phishing‑resistance training for finance and HR staff.
- Deploy endpoint detection that can identify anti‑sandbox checks used by Atlas RAT.
Technical Notes –
- Attack Vector: Phishing emails with lures mimicking payroll, tax, and HR communications; delivery via RomulusLoader using process hollowing and shellcode injection.
- Malware Capabilities: System reconnaissance, file theft, plugin/payload download, keylogging, screenshot, audio/webcam capture, system shutdown/reboot.
- Indicators: Checks for Microsoft Defender Application Guard, “CExecSvc” service, OS UUID.
- Potential Use: Surveillance or resale to espionage actors.
Source: BleepingComputer