A China-linked threat actor, TA4922, has expanded its phishing campaigns beyond its previous targets to now include organisations in the UK, Germany, Italy, and South Africa. The group is deploying known malware families including ValleyRAT and Atlas RAT, with a rapidly evolving toolkit suggesting well-resourced, sustained operations. This represents a significant escalation in geographic scope and poses a direct threat to European enterprises.

Architect’s Take: Review and tighten email gateway controls to block phishing lures associated with TA4922, and ensure endpoint detection rules cover ValleyRAT (Winos 4.0) and Atlas RAT indicators. Consider hunting for lateral movement or C2 beaconing patterns consistent with these RAT families across cloud-hosted workloads and on-premises infrastructure.

Original advisory: China-Linked TA4922 Expands Phishing Attacks to U.K., Germany, Italy, and South Africa

A China-linked threat group, TA4922, has significantly expanded its phishing campaigns beyond its previous targets to now include organisations in the UK, Germany, Italy, and South Africa. The group is deploying known remote access trojans including ValleyRAT and Atlas RAT, with a fast-moving operational pace and an evolving malware toolkit. This matters because the expansion into European markets signals a deliberate strategic shift, increasing risk for organisations in these regions.

Architect’s Take: Review email gateway and endpoint detection rules for ValleyRAT (Winos 4.0) and Atlas RAT indicators of compromise, and ensure phishing-resistant MFA is enforced across all cloud console and SaaS access points. Consider threat intelligence feeds covering Chinese APT activity to stay ahead of this group’s rapidly evolving malware arsenal.

Original advisory: China-Linked TA4922 Expands Phishing Attacks to UK, Germany, Italy, and South Africa

Attackers are exploiting Google’s DoubleClick ad-serving domain as a redirect hop in malicious email campaigns, using its trusted reputation to bypass security filters before delivering the DesckVB remote access trojan. Because many email and web security tools whitelist or deprioritise scrutiny of well-known Google-owned domains, the technique significantly increases the likelihood of successful delivery. Once installed, a RAT gives attackers persistent remote control over the victim’s machine.

Architect’s Take: Review your email and web proxy security policies to ensure that redirects through trusted domains — including Google-owned properties like DoubleClick — are still subject to full URL chain inspection and sandbox detonation. Consider enforcing policies that follow and evaluate the final destination URL rather than trusting the initial domain at face value.

Original advisory: Google DoubleClick Abused in New Malspam Campaign to Deliver DesckVB RAT

Attackers are exploiting Google’s DoubleClick ad-serving domain as a redirect layer in malicious spam emails, using its trusted reputation to bypass security filtering tools before routing victims to attacker-controlled infrastructure that delivers the DesckVB remote access trojan. Because DoubleClick is a widely trusted Google domain, many email and web security products will not flag the initial link as suspicious. This technique is a growing trend of abusing legitimate cloud services to obscure the early stages of an attack chain.

Architect’s Take: Review your email and web proxy security controls to ensure they inspect the full redirect chain rather than trusting links solely based on the root domain — allowlisting DoubleClick or similar Google domains without inspecting downstream redirects creates a blind spot. Consider enforcing URL rewriting and sandboxed link-following in your email security gateway, and ensure endpoint detection controls are tuned to flag RAT behaviour post-delivery.

Original advisory: Google DoubleClick Abused in New Malspam Campaign to Deliver DesckVB RAT