The Chinese-linked threat actor TA4922 is conducting high-velocity cyberattacks across Europe and Africa using the undocumented Atlas RAT (also known as AtlasCross). The campaign utilizes a social engineering technique dubbed "Silver Fox," where attackers distribute weaponized VPN installers to gain unauthorized system access. By masquerading as legitimate remote-access software, the malware effectively bypasses perimeter security controls. Once installed, the Atlas RAT establishes persistent backdoor access, enabling remote command and control (C2) capabilities. This rapid deployment of specialized malware highlights a significant shift in the actor's operational scope and technical sophistication in targeting organizations reliant on VPN infrastructure.
-
Incident/Campaign Overview
- Targeting geographic expansion into European and African operational theaters.
- Characterized by a "record campaign pace" regarding deployment velocity.
- Primary focus on organizations leveraging VPNs for remote connectivity.
-
Attack Vector/Campaign Mechanics
- Utilization of the "Silver Fox" delivery mechanism to facilitate infection.
- Distribution of weaponized VPN installers designed to deceive end-users.
- Bypassing of perimeter security by mimicking legitimate software installation workflows.
-
Threat Group Profile/Malware Analysis
- Identification of TA4922 as a suspected Chinese-speaking threat actor.
- Deployment of Atlas RAT (AtlasCross), a previously undocumented backdoor.
- Malware provides full Remote Access Trojan (RAT) functionality and persistent system access.
-
Indicators of Compromise (IoCs)/Defensive Actions
- Monitor for network traffic associated with AtlasCross C2 infrastructure.
- Validate the cryptographic integrity of all VPN and remote-access software.
- Implement strict endpoint controls to mitigate unauthorized software installations.
Related posts
- feeds.feedburner.com — Fake OpenAI Privacy Filter Repo Hits #1 on Hugging Face, Draws 244K Downloads
- Fortiguard
- Helpnetsecurity
- Malpedia
- Infosec
- bleepingcomputer.com — Chinese hackers use new Atlas RAT malware in European cyberattacks
- gbhackers.com — Proofpoint: TA4922 Deploys New RAT and Loader Arsenal
- Expert In the Cloud — Hackers Deploy New Atlas RAT in European Cyberattacks
- Mallory
- Securitybrief
- Hexastrike
- Proofpoint
- Main
- Pulsedive
- The Hacker News — China-Linked TA4922 Expands Phishing Attacks to UK, Germany, Italy, and South Africa
- Cybersecurity News — Proofpoint Warns TA4922 Deploys Atlas RAT, RomulusLoader, SilentRunLoader, and ValleyRAT
- Cyberpress
- Infosecurity-magazine
- Aiweekly
- gbhackers.com — Chinese APT VerdantBamboo Targets Appliances with BRICKSTORM Malware
- Cyberpress
- Petri
- Cloud
- Cybersecurity News — Chinese APT VerdantBamboo Uses BRICKSTORM Malware to Compromise Firewalls and Appliances
- Volexity
- Gbhackers
- Mallory
- Nuharborsecurity
- Cyberwarrior76
- Sites
- Hivepro
- Darkreading
- Media
- Exchange
- Volexity
- Volexity
- Mycert
- Bleepingcomputer
- feeds.feedburner.com — VerdantBamboo Deploys BSD Variant of BRICKSTORM on Linux Appliances
- techjacksolutions.com — Silver Fox Deploys ValleyRAT via Fake OpenAI Model on Hugging Face, 244K Downloads in 18 Hours
- Bleepingcomputer
- Infosecurity-magazine
- Turbodocx
- Reliaquest