Back to Insights
Threats4 min read4 June 2026

TA4922 Expands Phishing Operations Into Europe and South Africa With ValleyRAT and Atlas RAT

A China-linked threat crew is cycling through commodity and custom malware at an unusually fast clip — and it has started targeting organizations far outside its traditional Asia-Pacific base.

EF
Elena FischerThreat Intelligence Analyst
A photoreal editorial scene of a large open-plan corporate office in a European city at dusk, rows of monitors glowing w

A cybercriminal group tracked as TA4922 has extended its phishing campaigns into the United Kingdom, Germany, Italy, and South Africa, marking a significant geographic expansion for a crew that previously concentrated its operations across the Asia-Pacific region.

Who Is TA4922?

TA4922 is a China-aligned threat group that sits in uncomfortable territory between state-sponsored espionage and outright financially motivated cybercrime. Researchers have not confirmed a direct state mandate. What they have confirmed is Chinese-language operators, overlapping infrastructure with known Chinese-nexus clusters, and a working malware pipeline that keeps getting faster.

This distinction matters. Conflating every China-linked crew with a formal intelligence directive muddies the threat model defenders need to build. TA4922 should be treated as a fast-moving criminal operation — one that happens to share tooling and infrastructure DNA with espionage actors — rather than a precision APT running quarterly ops from a government brief.

The Malware Lineup

Two RAT families anchor the group's current campaigns.

ValleyRAT, also tracked as Winos 4.0, is a remote access trojan with a documented history among Chinese-speaking threat clusters. It has previously appeared in campaigns targeting finance and gaming companies across China and Taiwan. Public detections exist. It is not exotic.

Atlas RAT — sometimes called AtlasCross RAT — has surfaced in earlier intrusion sets aimed at think tanks and humanitarian aid organizations. Again, documented. Again, not new.

What is new is the pace at which TA4922 pairs these known families with previously undocumented loaders. The group appears to swap out loader stubs between campaigns, combining familiar commodity tools with freshly minted payloads that carry no prior detection signatures. Researchers describe this as an unusually rapid operational tempo — campaign-to-campaign iteration on lures, infrastructure, and payloads that looks less like a traditional APT and more like a software team shipping incremental releases.

Why Europe and South Africa?

The geographic shift suggests TA4922 is following revenue rather than a strict geopolitical collection priority. UK financial services, German manufacturing, Italian critical infrastructure, and South African enterprises all represent high-value targets for credential theft, corporate espionage, or outright fraud. The group appears willing to chase whichever geography offers the best return — a behavior pattern common to China-nexus crews that blur the line between espionage-adjacent collection and commercial cybercrime.

For European and South African security teams, this is a practical warning. Your organization does not need to be geopolitically significant to land on TA4922's targeting list. If your industry is valuable and your phishing controls are weak, you are on the map.

The Control That Failed — And Keeps Failing

Phishing is the initial access vector. Full stop. Every campaign TA4922 has run depends on an employee clicking something they should not have clicked — a malicious attachment, a credential-harvesting link, a lure crafted to look like a routine business communication. The Verizon 2024 Data Breach Investigations Report found that the human element contributed to 68% of breaches, and initial access through phishing remained one of the top three action varieties across confirmed incidents. TA4922's operations fit directly inside that statistic.

The harder problem is cadence. Traditional signature-based detection works when the loader stub matches a known hash. TA4922 rotates those stubs between campaigns, potentially faster than many organizations' detection-engineering cycles can produce new rules. That gap — between the moment a new loader hits inboxes and the moment a detection fires — is exactly where this group operates.

Signature controls will always lag a crew that iterates this quickly. Behavioral telemetry is the answer: suspicious child processes spawning from Microsoft Office applications or browsers, unusual outbound connections to freshly registered domains, and PowerShell execution chains that do not match normal business baselines will catch more of this activity than any static IOC list.

What Defenders Should Do Right Now

First, hunt for ValleyRAT and Atlas RAT artifacts across your endpoint estate. Both families have been profiled extensively, and EDR products with current rulesets should detect them. If your detections are signature-only, layer in behavioral rules.

Second, pay particular attention to European subsidiaries and satellite offices. These entities often run leaner security stacks than corporate headquarters and represent softer targets for phishing crews expanding into new geographies.

Third — and this is the control that is most frequently underinvested — train your people. Security-awareness training that covers how to identify credential-harvesting lures and suspicious attachment patterns directly addresses the initial access vector TA4922 depends on. A well-trained employee who pauses before clicking a convincing phishing email is a far more durable control than any single detection rule. Organizations looking to build that capability quickly can review Train2Secure's training standards and compliance frameworks to understand what a structured program looks like.

Fourth, monitor for outbound DNS queries to recently registered domains, particularly .top, .xyz, and other low-cost TLDs that threat actors favor for fresh infrastructure.

Attribution Caveats

TA4922 carries a "China-linked" label based on infrastructure overlaps, operator language artifacts, and tooling similarities with documented Chinese-nexus clusters. That framing is accurate but imprecise. There is no public confirmation of state tasking or government affiliation. Treating this group as a confirmed state actor changes the threat model in ways that may actually reduce defensive effectiveness — it can lead organizations to assume they are not high-value enough to be targeted, which is exactly wrong.

Treat TA4922 as a capable, fast-moving phishing crew with a working RAT pipeline and an expanding geographic footprint. Build your defenses accordingly. The next loader variant will not match the last one, and the next lure will be tuned for whatever geography they are targeting that week.

Organizations that want to benchmark their current phishing resilience before the next campaign arrives can explore Train2Secure's pricing options for employee phishing simulation and awareness programs.

How phishing awareness could have stopped TA4922 at the door

  • Run phishing simulations tuned to the lure types TA4922 uses — business-themed attachments and credential-harvesting pages — so employees recognize the pattern before it reaches their inbox.
  • Establish a security-awareness training cadence that updates at least quarterly, keeping pace with threat groups that iterate their lures campaign-to-campaign.
  • Pair employee training with behavioral email controls: flag newly registered sender domains, block macro execution from untrusted senders, and route suspicious attachments to sandbox analysis automatically.

Train2Secure's phishing simulation and awareness programs are built for exactly this threat profile — helping teams recognize and report fast-moving campaigns before a RAT gets a foothold.

Start free — no card required

Frequently asked questions

What industries is TA4922 targeting in its European and South African campaigns?

Researchers have not limited TA4922 to a single vertical. The group appears to follow financial opportunity rather than a strict sector brief, meaning finance, manufacturing, professional services, and critical infrastructure organizations are all plausible targets. European subsidiaries of global firms are at particular risk if their phishing controls are weaker than corporate headquarters.

How does TA4922 avoid detection when its malware families like ValleyRAT are already documented?

TA4922 pairs known RAT families with freshly built or rotated loader stubs that carry no prior detection signatures. This means signature-based controls often miss the initial delivery stage even when the final payload is recognizable. Behavioral detection — watching for suspicious child processes from Office apps, unusual PowerShell execution, and outbound connections to newly registered domains — is more reliable than static IOC matching against this group.

Is TA4922 a state-sponsored group?

Not confirmed. TA4922 shows Chinese-language operator artifacts and infrastructure overlaps with state-nexus clusters, but no direct government mandate has been established. Defenders should model it as a financially motivated cybercriminal crew with espionage-adjacent capabilities rather than a formal intelligence operation.

What is ValleyRAT and why should defenders prioritize hunting for it?

ValleyRAT, also tracked as Winos 4.0, is a remote access trojan associated with Chinese-speaking threat clusters. It has been deployed in campaigns targeting finance and gaming organizations and provides attackers with persistent remote access, credential theft capability, and lateral movement potential. It has public detections in most major EDR platforms, making it a practical starting point for a threat hunt.

Ready to Reduce Your Human Cyber Risk?

Sign up and start training your team in minutes. No sales calls, no demos — just pick a plan and go. Phishing simulations, video courses, and certificates from day one.

train2secure analytics dashboard showing training completion stats and user progress