Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
TA4922 is a Chinese-speaking, financially driven cybercrime group that uses HR, payroll, tax, and invoicing themes to deliver credential-phishing pages, fraud schemes, and remote access malware. In 2025 and 2026, the group expanded beyond East Asia into Europe and Africa, deploying custom loaders such as Atlas RAT, RomulusLoader, and SilentRunLoader. Its campaigns commonly use malicious ZIP or RAR archives hosted on file-sharing platforms and rely on DLL sideloading to install the final payloads. The operation also uses a network of compromised domains and IP addresses to host loader components and command-and-control infrastructure.
Investigation
Proofpoint tracked several campaigns between March and April 2026 that delivered Atlas RAT, RomulusLoader, and SilentRunLoader through services such as GoFile, MediaFire, and similar hosting platforms. Malware analysis revealed custom PE loaders, DLL sideloading routines, abuse of legitimate remote management tools like AnyDesk, and command-and-control communications over non-standard ports. Investigators identified traffic to 206.238.115.58, 154.211.86.110, 43.156.77.97, and 103.214.172.33 as linked to the group’s C2 infrastructure. They also observed Chrome data exfiltration through ws.ztts88.cyou.
Mitigation
Defenders should enforce application allow-listing, block execution from temporary user directories, monitor writes to sensitive system paths, restrict outbound traffic to unusual ports, and apply least-privilege controls for local user accounts. Detection efforts should focus on DLL sideloading patterns, suspicious process injection behavior, and outbound connections to the identified domains and IP addresses. These measures can help reduce the likelihood of successful infection and limit attacker movement after compromise.
Response
If TA4922 activity is detected, isolate the affected endpoint immediately, terminate suspicious processes, and remove any malicious DLLs or executables from the host. Conduct forensic analysis to uncover persistence mechanisms, including copied binaries placed in paths such as C:\Program Files\Common Files. Block the known malicious domains and IP addresses at the firewall, notify users about the phishing lures involved in the campaign, and update detection logic to cover the associated filenames and network indicators.
"graph TB %% Class definitions classDef action fill:#99ccff classDef tool fill:#ffcc99 %% Node definitions action_initial_access["<b>Action</b> – <b>T1566.001 Phishing: Spearphishing Attachment</b>, <b>T1566.002 Phishing: Link</b><br/><b>Description</b>: Victims receive emails with malicious ZIP or IMG files, or links to files hosted on GoFile or MediaFire."] class action_initial_access action action_dll_sideloading["<b>Action</b> – <b>T1574.001 DLL Side-Loading</b><br/><b>Description</b>: Malicious DLL placed alongside a legitimate executable causing the host program to load attacker code."] class action_dll_sideloading action tool_vulkan_loader["<b>Tool</b> – <b>Name</b>: Vulkan Loader<br/><b>Description</b>: Legitimate graphics loader abused as the carrier for DLL sideu2011loading."] class tool_vulkan_loader tool action_process_injection["<b>Action</b> – <b>T1055 Process Injection</b><br/><b>Description</b>: Injected workers run inside svchost or dllhost processes to gain higher privileges and hide activity."] class action_process_injection action action_vm_checks["<b>Action</b> – <b>T1497.001 Virtualization/Sandbox Evasion</b> and <b>T1497.002 System Checks</b><br/><b>Description</b>: Checks for WDAGUtilityAccount, DNS suffix and other indicators to detect analysis environments."] class action_vm_checks action action_c2_nonstandard_port["<b>Action</b> – <b>T1571 Non-Standard Port</b><br/><b>Description</b>: Command and control traffic uses custom HTTP ports to avoid typical detection rules."] class action_c2_nonstandard_port action action_c2_web_service["<b>Action</b> – <b>T1102.002 Web Service Bidirectional</b><br/><b>Description</b>: Uses HTTP over the custom ports for twou2011way communication with C2 servers."] class action_c2_web_service action tool_anydesk["<b>Tool</b> – <b>Name</b>: AnyDesk<br/><b>Description</b>: Remote desktop application leveraged for persistent control and data exfiltration."] class tool_anydesk tool tool_syncfuture_rmm["<b>Tool</b> – <b>Name</b>: SyncFuture RMM<br/><b>Description</b>: Remote monitoring and management platform used to move laterally and execute commands."] class tool_syncfuture_rmm tool %% Connections action_initial_access –>|leads_to| action_dll_sideloading action_dll_sideloading –>|uses| tool_vulkan_loader action_dll_sideloading –>|enables| action_process_injection action_process_injection –>|enables| action_vm_checks action_vm_checks –>|precedes| action_c2_nonstandard_port action_c2_nonstandard_port –>|communicates_with| action_c2_web_service action_c2_web_service –>|uses| tool_anydesk action_c2_web_service –>|uses| tool_syncfuture_rmm "
Attack Flow
Detections
Short File Name (via cmdline)
View
Possible Data Infiltration / Exfiltration / C2 via Third Party Services / Tools (via proxy)
View
Possible Data Infiltration / Exfiltration / C2 via Third Party Services / Tools (via dns)
View
Suspicious Command and Control by Unusual Top Level Domain (TLD) DNS Request (via dns)
View
IOCs (HashSha256) to detect: TA4922: The Suspected Chinese Crime Group is Going Global
View
IOCs (SourceIP) to detect: TA4922: The Suspected Chinese Crime Group is Going Global
View
IOCs (DestinationIP) to detect: TA4922: The Suspected Chinese Crime Group is Going Global
View
Detection of C2 Communication for TA4922 Malware [Windows Network Connection]
View
Detection of TA4922 Malware Activities via DLL Sideloading and Specific Malware Execution [Windows Process Creation]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
The threat actor has already achieved persistence on the victim (e.g., via a Run key – T1546.010) and injected a malicious DLL (T1574.001). The next step is to establish a beacon to the C2 server to retrieve further instructions. The actor uses a native Windows binary (
powershell.exe) to avoid triggering classic malware signatures, sending a simple HTTP GET request to the hard‑coded malicious IP206.238.115.58. Because the IP is enumerated in the Sigma rule, this network connection should fire the alert. -
Regression Test Script:
<# Simulation script – triggers the TA4922 C2 detection rule. Steps: 1. Launch PowerShell in a concealed window. 2. Make an HTTP request to a malicious IP from the rule’s list. 3. Sleep briefly to ensure the Sysmon event is flushed. 4. Exit. #> # Hide the PowerShell window (optional for realism) $psWindow = Get-Process -Id $PID | Select-Object -ExpandProperty MainWindowHandle if ($psWindow) { Add-Type @" using System; using System.Runtime.InteropServices; public class Win32 { [DllImport("user32.dll")] public static extern bool ShowWindowAsync(IntPtr hWnd, int nCmdShow); } "@ [Win32]::ShowWindowAsync($psWindow, 0) # 0 = SW_HIDE } # Malicious C2 beacon $maliciousIp = "206.238.115.58" $uri = "http://$maliciousIp/healthcheck" try { Invoke-WebRequest -Uri $uri -UseBasicParsing -TimeoutSec 5 | Out-Null } catch { # Expected to fail if the IP is not reachable; the network attempt still generates Sysmon EventID 3. } # Give Sysmon time to write the event Start-Sleep -Seconds 3 -
Cleanup Commands:
# Remove the hidden window flag (if applied) and clear any temporary artifacts if ($psWindow) { Add-Type @" using System; using System.Runtime.InteropServices; public class Win32 { [DllImport("user32.dll")] public static extern bool ShowWindowAsync(IntPtr hWnd, int nCmdShow); } "@ [Win32]::ShowWindowAsync($psWindow, 5) # 5 = SW_SHOW } # No files were written, but clear DNS cache as a good practice ipconfig /flushdns
Post‑Simulation Verification
-
Alert Confirmation: Query the SIEM for alerts generated by the rule within the last 5 minutes.
// Sentinel KQL – fetch alerts from the TA4922 C2 rule SecurityAlert | where AlertRuleId == "b46e7470-5f54-4f2d-b5cc-cb0e51735555" | order by TimeGenerated desc | project TimeGenerated, AlertName, Severity, Description, Entities -
Event Correlation: Verify the underlying Sysmon
NetworkConnectevent matches the malicious IP.Sysmon | where EventID == 3 | where DestinationIp == "206.238.115.58" | project TimeGenerated, ProcessName, DestinationIp, DestinationPort, InitiatingProcessFileName | sort by TimeGenerated desc
If both the alert and the corresponding network event appear, the detection rule is functioning as intended.
Recommendations for Hardening
- Broaden Indicator Scope: Add known malicious domains and URL patterns to the rule; use DNS query logs to catch domain‑based C2 even when IPs rotate.
- Behavioural Enrichment: Incorporate thresholds (e.g., “more than X distinct outbound connections to rare IPs within Y minutes”) to reduce false positives and increase resilience.
- Threat‑Intel Feeds: Automate periodic updates of the IP/domain list from reputable threat‑intel sources, reducing manual staleness.
- Layered Detection: Combine the network‑based rule with a process‑creation rule that looks for suspicious PowerShell or
wget/curlusage tied to known loader hashes. - Alert Tuning: Set a Medium severity for initial detections and require a second factor (e.g., anomalous user context) before escalating to High, mitigating alert fatigue.