← All Threat Actors
Threat Actor Profile

TA4922

No known aliases in database
▲ High Threat
Global Expansion Campaign, Japan HR/Corporate Phishing Campaign, East Asia Tax-Themed Phishing
Origin China
Motivation Financial gain (specifically fraud, data theft, and the resale of network access)

Target Sectors

Corporate organizations Human Resources departments Finance and Payroll departments Organizations in East Asia (Japan, Taiwan, South Korea, Singapore, Malaysia, Indonesia, India) Organizations in Europe (United Kingdom, Germany, Italy) Organizations in Africa (South Africa)

Known TTPs

Localized phishing lures (tax, payroll, HR, and invoice themes)
Social engineering to shift victims to out-of-band platforms (WhatsApp, LINE, Microsoft Teams)
DLL sideloading for payload execution
Deployment of custom loaders (RomulusLoader, SilentRunLoader)
Use of Remote Access Trojans (Atlas RAT, ValleyRAT/Winos 4.0)
Abuse of legitimate remote monitoring and management (RMM) tools like AnyDesk
Hosting malicious archives on consumer file-sharing services (GoFile, MediaFire)
Credential phishing pages
Impersonation of national tax authorities and corporate finance leadership

External Resources

CISA Advisories ↗

Related Intelligence


LINK COPIED TO CLIPBOARD