Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: ai-assisted-malware (3 articles)Clear

Chinese cybercrime actor TA4922 expands to Europe with Atlas RAT and localized payroll/tax lures - likely LLM-accelerated malware

Proofpoint has detailed TA4922, a Chinese-speaking financially-motivated cybercrime group that has expanded from East Asia into Europe, deploying the previously undocumented Atlas backdoor against organizations in Germany, Italy, the UK, and South Africa. Since March its tempo has surged - Proofpoint says TA4922 now runs more unique campaigns than any other cybercrime actor in its data. Lures impersonate payroll notices, tax audits, VAT filings, compliance notices, invoices, and HR communications, with follow-up contact via WhatsApp, LINE, and Microsoft Teams. The group overlaps with activity reported as Silver Fox and Void Arachne. Proofpoint believes the rapidly expanding malware arsenal is being accelerated with LLMs, citing AI-generated code patterns and placeholder values.

Check
Hunt European endpoints for the Atlas backdoor and TA4922 custom loaders. Inspect email for payroll/tax/VAT/invoice lures and unsolicited WhatsApp, LINE, or Teams contact. Apply Proofpoint IoCs.
Affected
Organizations in Germany, Italy, the UK, and South Africa - TA4922's expanded European targets. Finance, HR, and tax-themed lures plus messaging-app outreach are the delivery vectors.
Fix
Apply Proofpoint IoCs and block Atlas RAT C2. Train finance and HR staff against tax/payroll/invoice lures and unsolicited messaging-app contact. Restrict execution of email-delivered loaders and scripts.

WithSecure: Russia-linked GREYVIBE targets Ukraine with AI-assisted malware via PhantomMail, PhantomRelay RAT, and ClickFix fake-CAPTCHA chains

WithSecure has attributed persistent attacks against Ukraine and Ukraine-related entities since at least August 2025 to GREYVIBE, a previously undocumented Russian-speaking group operating in the Russian time zone and aligned with Kremlin intelligence interests. Victims span military, government, civilian, and business organizations. The group uses spear-phishing (PhantomMail, delivering JavaScript loaders from Google Drive and 4sync), a PowerShell RAT called PhantomRelay, and ClickFix-style fake-CAPTCHA pages (PhantomClick) impersonating Zoom and a fake adult-club site (PrincessClub). WithSecure describes GREYVIBE as low-to-moderately sophisticated, hampered by repeated OPSEC mistakes, but increasingly relying on generative AI and LLMs to accelerate malware development. Some members have ties to the broader Russian cybercrime ecosystem.

Check
Hunt for PhantomRelay PowerShell RAT activity and JavaScript loaders from Google Drive or 4sync links. Block known GREYVIBE ClickFix domains impersonating Zoom. Apply WithSecure IoCs.
Affected
Ukrainian military, government, civilian, and business organizations and Ukraine-related entities. Delivery via spear-phishing, fake CAPTCHA pages, and fraudulent adult-club websites since August 2025.
Fix
Block GREYVIBE C2 and loader-hosting domains per WithSecure. Restrict PowerShell for standard users. Train staff against ClickFix fake-CAPTCHA 'paste this command' prompts. Monitor Google Drive/4sync archive downloads.

Iran's Nimbus Manticore (UNC1549) accelerated wartime ops with AI-assisted MiniFast backdoor, trojanized Zoom installers, and SEO poisoning of SQL Developer

Check Point has documented Iranian APT Nimbus Manticore (also tracked as UNC1549) accelerating its operations during US Operation Epic Fury rather than going quiet. The campaign hits aviation, software, and defense organizations in the US, Europe, and the Middle East via three waves: career-themed phishing using AppDomain hijacking to deploy MiniJunk (February), a trojanized Zoom installer that hijacks legitimate scheduled tasks to deliver the new MiniFast backdoor (March), and the group's first SEO poisoning campaign distributing a weaponized Oracle SQL Developer installer via getsqldeveloper[.]com (April). MiniFast shows signs of AI-assisted development: defensive coding patterns, verbose error strings, and modular structure.

Check
Search EDR for AppDomain hijacking patterns spawning unsigned DLLs from Microsoft-signed executables. Hunt for trojanized Zoom installers and visits to getsqldeveloper[.]com via DNS logs.
Affected
Aviation, software, defense, and telecom organizations in the US, Europe, and Middle East. Nimbus Manticore targets employees via fake career offers, fake Zoom meetings, and SEO poisoning.
Fix
Apply Check Point IoCs. Block getsqldeveloper[.]com and known Nimbus Manticore C2 infrastructure. Train staff against unsolicited career or meeting-invitation downloads. Strengthen endpoint allowlisting against unsigned DLL sideloading.