A China-linked threat actor, TA4922, has expanded its phishing campaigns beyond its previous targets to now include organisations in the UK, Germany, Italy, and South Africa. The group is deploying known malware families including ValleyRAT and Atlas RAT, with a rapidly evolving toolkit suggesting well-resourced, sustained operations. This represents a significant escalation in geographic scope and poses a direct threat to European enterprises.

Architect’s Take: Review and tighten email gateway controls to block phishing lures associated with TA4922, and ensure endpoint detection rules cover ValleyRAT (Winos 4.0) and Atlas RAT indicators. Consider hunting for lateral movement or C2 beaconing patterns consistent with these RAT families across cloud-hosted workloads and on-premises infrastructure.

Original advisory: China-Linked TA4922 Expands Phishing Attacks to U.K., Germany, Italy, and South Africa

A China-linked threat group, TA4922, has significantly expanded its phishing campaigns beyond its previous targets to now include organisations in the UK, Germany, Italy, and South Africa. The group is deploying known remote access trojans including ValleyRAT and Atlas RAT, with a fast-moving operational pace and an evolving malware toolkit. This matters because the expansion into European markets signals a deliberate strategic shift, increasing risk for organisations in these regions.

Architect’s Take: Review email gateway and endpoint detection rules for ValleyRAT (Winos 4.0) and Atlas RAT indicators of compromise, and ensure phishing-resistant MFA is enforced across all cloud console and SaaS access points. Consider threat intelligence feeds covering Chinese APT activity to stay ahead of this group’s rapidly evolving malware arsenal.

Original advisory: China-Linked TA4922 Expands Phishing Attacks to UK, Germany, Italy, and South Africa