Date: 06/05/2026
Severity: High
Summary
In March and April 2026, threat actor TA4922 significantly increased its operational tempo. The team identified a series of campaigns demonstrating a major evolution in the actor's malware tooling. The attacker relied primarily on human resources and business-themed lures to target victims. These campaigns delivered credential phishing, fraud, and a newly identified malware called Atlas RAT. New loader families, designated RomulusLoader and SilentRunLoader, were also introduced to stage additional tools. The diverse payloads mark a significant shift in TA4922’s tactics, techniques, and procedures.
Indicators of Compromise (IOC) List
Domains/URLs : | https://nwphotoblog.com https://ws.ztts88.cyou/file/cg.exe https://ws.ztts88.cyou/upload.php |
IP Address : | 206.238.115.58 154.211.86.110 43.156.77.97 103.214.172.33 18.139.83.110 |
Hash : | a648db354820ea4d02940cb1702b35974513b7aae83f6dffaacaac4ba31f9295
584a9448dda46bd590d7a2f86228100d2ae6e0d6d990c1a4459ed5ee28e07ae8
66a3836b9a17771bce2161f6b73cbc2494a91e49d6aa30d2d53711e8d10de60d
4fcfa88fffacbce30bbe2136753c9ab5a4c092940d2406fd9d44d5118e745b9d
a75eab31d7ff06b6864960ad7e633be3f9730ff3d3873e4539c8f425fc632dad
40b41979b317406f8abc601677a3b93aaf6ef8ab8ac188b8f383735e388f13b5
8c9b6542f73c5c7fe455b52f5101314407da4f65ff48e7ebf6896605e607c8d0
3119cf37b8267db8a2dcd11d9a83d5237d7ef1e42388e7c9afa2831b91da8a2d
314f4b59535d1b783e1c20c2be00f9e30f8ed27b2e21fad06a73b47ea43279ef
2d2a251a88632f010fd9671789746908eeccaa5bc5c0a5d25e4649efe4f5b15d
0857148fb0bc4aa7adf967ede2307bdb4fc427065d5b6a6db132688a5a8e1eb8
e0a6a71c605d9a4076147e9537f82f79f1e1eccadc874595160aa4637ff4088c
de82998ad5fcd63deae030803388e0fb4290d6223fda82368fd25b99b823f0d2
9d0a55c545c4147956db2c2667c4ed931a2875309147548b1dfdd216228f5f73
|
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 : | domainname like "https://ws.ztts88.cyou/upload.php" or url like "https://ws.ztts88.cyou/upload.php" or siteurl like "https://ws.ztts88.cyou/upload.php" or domainname like "https://nwphotoblog.com" or url like "https://nwphotoblog.com" or siteurl like "https://nwphotoblog.com" or domainname like "https://ws.ztts88.cyou/file/cg.exe" or url like "https://ws.ztts88.cyou/file/cg.exe" or siteurl like "https://ws.ztts88.cyou/file/cg.exe" |
Detection Query 2 : | dstipaddress IN ("206.238.115.58","18.139.83.110","103.214.172.33","43.156.77.97","154.211.86.110") or srcipaddress IN ("206.238.115.58","18.139.83.110","103.214.172.33","43.156.77.97","154.211.86.110") |
Detection Query 3 : | sha256hash IN ("9d0a55c545c4147956db2c2667c4ed931a2875309147548b1dfdd216228f5f73","de82998ad5fcd63deae030803388e0fb4290d6223fda82368fd25b99b823f0d2","2d2a251a88632f010fd9671789746908eeccaa5bc5c0a5d25e4649efe4f5b15d","a75eab31d7ff06b6864960ad7e633be3f9730ff3d3873e4539c8f425fc632dad","0857148fb0bc4aa7adf967ede2307bdb4fc427065d5b6a6db132688a5a8e1eb8","a648db354820ea4d02940cb1702b35974513b7aae83f6dffaacaac4ba31f9295","314f4b59535d1b783e1c20c2be00f9e30f8ed27b2e21fad06a73b47ea43279ef","584a9448dda46bd590d7a2f86228100d2ae6e0d6d990c1a4459ed5ee28e07ae8","e0a6a71c605d9a4076147e9537f82f79f1e1eccadc874595160aa4637ff4088c","66a3836b9a17771bce2161f6b73cbc2494a91e49d6aa30d2d53711e8d10de60d","4fcfa88fffacbce30bbe2136753c9ab5a4c092940d2406fd9d44d5118e745b9d","40b41979b317406f8abc601677a3b93aaf6ef8ab8ac188b8f383735e388f13b5","8c9b6542f73c5c7fe455b52f5101314407da4f65ff48e7ebf6896605e607c8d0","3119cf37b8267db8a2dcd11d9a83d5237d7ef1e42388e7c9afa2831b91da8a2d")
|
Reference:
https://www.proofpoint.com/us/blog/threat-insight/ta4922-suspected-chinese-crime-group-going-global