← Back to Daily Briefing

The Chinese-linked threat actor TA4922 is conducting high-velocity cyberattacks across Europe and Africa using the undocumented Atlas RAT (also known as AtlasCross). The campaign utilizes a social engineering technique dubbed "Silver Fox," where attackers distribute weaponized VPN installers to gain unauthorized system access. By masquerading as legitimate remote-access software, the malware effectively bypasses perimeter security controls. Once installed, the Atlas RAT establishes persistent backdoor access, enabling remote command and control (C2) capabilities. This rapid deployment of specialized malware highlights a significant shift in the actor's operational scope and technical sophistication in targeting organizations reliant on VPN infrastructure.

  • Incident/Campaign Overview

    • Targeting geographic expansion into European and African operational theaters.
    • Characterized by a "record campaign pace" regarding deployment velocity.
    • Primary focus on organizations leveraging VPNs for remote connectivity.
  • Attack Vector/Campaign Mechanics

    • Utilization of the "Silver Fox" delivery mechanism to facilitate infection.
    • Distribution of weaponized VPN installers designed to deceive end-users.
    • Bypassing of perimeter security by mimicking legitimate software installation workflows.
  • Threat Group Profile/Malware Analysis

    • Identification of TA4922 as a suspected Chinese-speaking threat actor.
    • Deployment of Atlas RAT (AtlasCross), a previously undocumented backdoor.
    • Malware provides full Remote Access Trojan (RAT) functionality and persistent system access.
  • Indicators of Compromise (IoCs)/Defensive Actions

    • Monitor for network traffic associated with AtlasCross C2 infrastructure.
    • Validate the cryptographic integrity of all VPN and remote-access software.
    • Implement strict endpoint controls to mitigate unauthorized software installations.

Related posts

  1. feeds.feedburner.com — Fake OpenAI Privacy Filter Repo Hits #1 on Hugging Face, Draws 244K Downloads
  2. Fortiguard
  3. Helpnetsecurity
  4. Malpedia
  5. Infosec
  6. bleepingcomputer.com — Chinese hackers use new Atlas RAT malware in European cyberattacks
  7. gbhackers.com — Proofpoint: TA4922 Deploys New RAT and Loader Arsenal
  8. Expert In the Cloud — Hackers Deploy New Atlas RAT in European Cyberattacks
  9. Mallory
  10. Securitybrief
  11. Hexastrike
  12. Proofpoint
  13. Main
  14. Pulsedive
  15. The Hacker News — China-Linked TA4922 Expands Phishing Attacks to UK, Germany, Italy, and South Africa
  16. Cybersecurity News — Proofpoint Warns TA4922 Deploys Atlas RAT, RomulusLoader, SilentRunLoader, and ValleyRAT
  17. Cyberpress
  18. Infosecurity-magazine
  19. Aiweekly
  20. gbhackers.com — Chinese APT VerdantBamboo Targets Appliances with BRICKSTORM Malware
  21. Cyberpress
  22. Petri
  23. Cloud
  24. Cybersecurity News — Chinese APT VerdantBamboo Uses BRICKSTORM Malware to Compromise Firewalls and Appliances
  25. Volexity
  26. Gbhackers
  27. Mallory
  28. Reddit
  29. Nuharborsecurity
  30. Cyberwarrior76
  31. Sites
  32. Hivepro
  33. Darkreading
  34. Media
  35. Exchange
  36. Volexity
  37. Volexity
  38. Mycert
  39. Bleepingcomputer
  40. feeds.feedburner.com — VerdantBamboo Deploys BSD Variant of BRICKSTORM on Linux Appliances
  41. techjacksolutions.com — Silver Fox Deploys ValleyRAT via Fake OpenAI Model on Hugging Face, 244K Downloads in 18 Hours
  42. Bleepingcomputer
  43. Infosecurity-magazine
  44. Turbodocx
  45. Reliaquest

LINK COPIED TO CLIPBOARD