Chinese Cybercrime Group Deploys AI-Coded Malware Campaigns | #cybercrime | #infosec

Researchers Say Group Uses LLMs to Accelerate Malware Creation

Tiffany Wang •
June 4, 2026    

See Also: AI Impersonation Is the New Arms Race-Is Your Workforce Ready?

The newly designated group, tracked as TA4922 by AI security firm Proofpoint, ramped up phishing activity in March and April to remotely enter victim environments for data theft, fraud and resale of access.

Combining its sophisticated social-engineering workflow with previously unknown loader families and malware payloads, TA4922 showcases the capabilities of the larger Chinese-language cybercrime marketplace that’s constantly evolving and extending its tentacles worldwide.

While Japan remains the group’s biggest target, other Asian countries, including India and Singapore, as well as European organizations in the United Kingdom and Germany, are all receiving AI-assisted content tailored to local languages and cultural norms.

“TA4922 currently conducts more unique campaigns than any other tracked cybercrime threat actor in Proofpoint threat data, demonstrating high operational tempo, a variety of lure and multiple objectives,” Proofpoint says in a report.

TA4922’s campaign starts with emails that resemble tax audits, internal human resources notifications or customer service communications. One email focuses on personnel-related changes and compensation and instruct the recipient to click on a URL hosted on a widely known file-sharing platform to review paperwork.

After the victim opens ZIP files containing a malicious DLL file and triggers DLL side loading, one of two newly discovered loaders, RomulusLoader or SilentRunLoader, is deployed to deliver additional malware.

Notably, SilentRunLoader is a vibe-coded Python stealer, named after how the attackers call it “silent_run_and_upload.py”. Researchers spotted lots of unchanged placeholders and comments in Simplified Chinese in the malware’s configuration code that all look like the works of an LLM.

“We assess with high confidence that this group is likely using LLMs to rapidly develop new Python-based malware. TA4922 seems to be deploying ‘new’ malware at a very fast rate, also leading us to believe that much of it is vibe-coded,” Proofpoint says.

AI has been adopted widely in the Chinese cybercrime ecosystem: Phishing-as-a-service products use it to sound fluent and native in hundreds of languages, and AI-powered automation tools enable high-quality visual cloning that help scam pages look legitimate.

Malware production supercharged by AI models adds another use case, showcasing how frontier technology has lowered the barrier for financially interested parties to enter the industry.

Aside from loaders, some emails in the campaign might instead contain a recently identified remote access Trojan, Atlas RAT.

“Atlas RAT is a fully featured backdoor consisting of multiple stages with a final download of a ‘core’ module, and one or more auxiliary plugins that can be requested and downloaded from the C2,” Proofpoint says.

The malware is capable of reconnaissance and target selection, data exfiltration and continual plugin add-ons. It also can record audio and video, track every key pressed on a keyboard, capture clipboards and screenshots and reboot systems.

“While the actor is assessed to be financially motivated, the capabilities of the malware include the potential for surveillance, which could be used by or sold to espionage groups,” Proofpoint says.

The same malware was first associated with Chinese advanced threat actor Siler Fox, with which TA4922 shares significant tooling overlap. It suggests that TA4922 is operating within a broad cybercrime ecosystem in which malware families and tools are shared among multiple actors.

Although Silver Fox and TA4922 overlap in targeting, malware and email themes, researchers say TA4922 should be considered a standalone actor because its approach of bundling malware with AI editing applications is distinct.