TA4922 "SilentRunLoader" Malware Campaign Targeting UK/Europe
security ta4922 silentrunloader malware
trending_up Trend: security

TA4922 "SilentRunLoader" Malware Campaign Targeting UK/Europe

calendar_month June 4, 2026

Summary

The sophisticated threat actor TA4922, suspected of Chinese origin, has launched a new global campaign. Utilizing new malware families such as SilentRunLoader and RomulusLoader, the group is specifically targeting organizations in the United Kingdom and Europe. The attackers use localized lures, often themed around Human Resources (HR) and payroll, to infiltrate critical business functions.

What happened?

TA4922 has significantly increased its operational tempo, deploying new infrastructure and advanced malware. The campaign employs malicious emails with attachments or links aimed at installing SilentRunLoader and RomulusLoader. A notable feature is the use of localized content specifically tailored for European and British companies. The malware serves as a loader for additional malicious software, granting the attackers persistent access to infected systems.

Why it matters

The focus on HR and payroll themes indicates that attackers are deliberately targeting departments with access to sensitive employee data and financial information. As TA4922 is linked to state-sponsored actors, this campaign poses a significant risk to the cybersecurity and intellectual property of European enterprises. The high professionalism of the lures makes detection by conventional security solutions difficult.

Evidence

Proofpoint has documented the evolution of TA4922 in detail and identified the new malware tools. Reports from Hackread confirm the targeted attacks on European infrastructure. Security researchers have identified specific Indicators of Compromise (IOCs) for SilentRunLoader, pointing to a coordinated and well-resourced campaign.

Analysis

The use of loaders like SilentRunLoader suggests a strategy where the actual payload is loaded at a later stage to bypass detection systems. The expansion of the group’s activities from Asian targets to the West signals a strategic realignment. The localization of attack vectors (language, thematic relevance) drastically increases the success rate of phishing attempts.

Practical Takeaways

  • Inform IT Security Teams: Issue immediate warnings regarding SilentRunLoader indicators.
  • Employee Awareness: Human Resources and accounting departments should be specifically alerted to emails regarding HR and payroll topics from external sources.
  • Technical Filters: Email security solutions should be updated with TA4922-specific IOCs.
  • Multi-Factor Authentication (MFA): Ensure all critical accounts are protected by MFA to minimize the impact of stolen credentials.

Open Questions

  • Which specific industries in Europe are most affected?
  • Are there already insights into the ultimate goals of exfiltration (espionage or financial motives)?
  • What is the full extent of the localized lures used in different European countries?

Sources

  1. TA4922: The Suspected Chinese Crime Group is Going Global
  2. China-Linked TA4922 Hackers Target UK, Europe With New SilentRunLoader Malware