Chinese-speaking cybercrime group TA4922 expands attacks to Europe with new malware
AI-generated from multiple sources. Verify before acting on this reporting.
BERLIN (AP) — Additional reports have emerged confirming the scope of the TA4922 campaign across European targets. New intelligence indicates the group has successfully compromised at least three additional financial institutions in France and Spain, expanding the geographic footprint beyond the initial reports of Germany, Italy, and the United Kingdom. The updated Atlas RAT variant is now being observed in active use within these new regions, with attackers leveraging the tool to exfiltrate sensitive customer data and banking credentials. Security firms note that the malware’s capabilities have been enhanced to bypass updated endpoint detection systems commonly deployed in Western European corporate networks. The group appears to be prioritizing mid-sized banking firms with cross-border transaction capabilities. No public attribution has been made by affected entities, though internal security teams are actively working to contain the breaches. The campaign’s timeline remains consistent with the initial early June 2026 onset, but the scale of operations has grown significantly in the past week.
BERLIN (AP) — A Chinese-speaking cybercrime group known as TA4922 has expanded its operations into Europe, deploying a new variant of the Atlas Remote Access Trojan (RAT) to target financial institutions and corporate networks in Germany, Italy, and the United Kingdom.
The group, which has previously focused on targets in Asia, began the campaign in early June 2026. Security researchers identified the deployment of the updated Atlas RAT alongside other tools designed for financial fraud and data theft. The attacks aim to breach target networks to steal sensitive information and sell access to other criminal actors.
TA4922, also referred to as a financially motivated threat actor, has shifted its geographic focus to include European entities. The campaign has also reached South Africa, indicating a broader expansion beyond the initial European targets. The group utilizes the malware to maintain persistent access to compromised systems, allowing for the exfiltration of credentials and financial data.
The new Atlas RAT variant includes enhanced capabilities for evading detection and maintaining long-term access within victim networks. This tool is part of a suite of malware used by the group to facilitate unauthorized transactions and data theft. The attacks are characterized by a focus on high-value targets that hold significant financial data or proprietary information.
Cybersecurity firms have noted the sophistication of the group's operations, which involve social engineering tactics and the exploitation of vulnerabilities in widely used software. The group's shift to European targets marks a significant change in their operational strategy, suggesting an adaptation to new market opportunities.
The expansion of TA4922's activities raises concerns among European cybersecurity officials about the potential for increased financial losses and data breaches. The group's ability to deploy new malware variants quickly indicates a high level of technical capability and resourcefulness.
As the investigation continues, cybersecurity experts are working to identify the full scope of the campaign and the extent of the damage caused. The group's motives remain primarily financial, with the sale of stolen data and network access being a key revenue stream.
The situation remains fluid as security teams work to patch vulnerabilities and mitigate the threat posed by TA4922. The group's continued evolution and expansion into new regions present ongoing challenges for global cybersecurity efforts.
No specific organizations have been publicly named as victims of the campaign, but the targeting of financial institutions and corporate networks suggests a broad impact across multiple sectors. The group's activities are expected to continue as they seek to maximize their financial gains from the compromised systems.
The deployment of the new Atlas RAT variant highlights the evolving nature of cyber threats and the need for robust defensive measures. As TA4922 expands its operations, the potential for further attacks on critical infrastructure and sensitive data remains a significant concern for cybersecurity professionals worldwide.