Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: europe (3 articles)Clear

Chinese cybercrime actor TA4922 expands to Europe with Atlas RAT and localized payroll/tax lures - likely LLM-accelerated malware

Proofpoint has detailed TA4922, a Chinese-speaking financially-motivated cybercrime group that has expanded from East Asia into Europe, deploying the previously undocumented Atlas backdoor against organizations in Germany, Italy, the UK, and South Africa. Since March its tempo has surged - Proofpoint says TA4922 now runs more unique campaigns than any other cybercrime actor in its data. Lures impersonate payroll notices, tax audits, VAT filings, compliance notices, invoices, and HR communications, with follow-up contact via WhatsApp, LINE, and Microsoft Teams. The group overlaps with activity reported as Silver Fox and Void Arachne. Proofpoint believes the rapidly expanding malware arsenal is being accelerated with LLMs, citing AI-generated code patterns and placeholder values.

Check
Hunt European endpoints for the Atlas backdoor and TA4922 custom loaders. Inspect email for payroll/tax/VAT/invoice lures and unsolicited WhatsApp, LINE, or Teams contact. Apply Proofpoint IoCs.
Affected
Organizations in Germany, Italy, the UK, and South Africa - TA4922's expanded European targets. Finance, HR, and tax-themed lures plus messaging-app outreach are the delivery vectors.
Fix
Apply Proofpoint IoCs and block Atlas RAT C2. Train finance and HR staff against tax/payroll/invoice lures and unsolicited messaging-app contact. Restrict execution of email-delivered loaders and scripts.

TrickMo Android banker hides command-and-control inside Telegram's TON blockchain network to dodge takedowns

The TrickMo Android banking malware now routes its command-and-control through The Open Network (TON), the decentralized peer-to-peer network originally built around Telegram, making the C2 infrastructure much harder to identify or take down. ThreatFabric (which tracks this variant as Trickmo.C) has been watching it since January in campaigns hitting users in France, Italy, and Austria. The malware disguises itself as TikTok or streaming apps and steals banking credentials and crypto wallet keys via phishing overlays, keylogging, SMS interception, OTP suppression, and live screen recording. The new variant also adds SSH tunneling, port forwarding, and SOCKS5 proxy commands, turning infected phones into a pivot point.

Check
Check MDM logs for users in France, Italy, or Austria who side-loaded apps masquerading as TikTok or streaming services since January 2026. Flag corporate phones showing outbound TON network traffic.
Affected
Android devices belonging to users in France, Italy, and Austria that side-loaded apps disguised as TikTok or streaming services. Banking and cryptocurrency-wallet credentials, SMS-delivered OTPs, screen contents, and keystrokes are all at risk. The TON-based C2 means traditional domain blocking and DNS-based filters will miss this malware family entirely.
Fix
Confirm Google Play Protect is active and side-loading is blocked on all managed Android devices. For potentially infected users, perform a full factory reset, reinstall apps only from Google Play, and reset banking and cryptocurrency credentials from a known-clean device. Add TON .adnl traffic to egress monitoring - while you cannot decrypt it, unusual volumes from corporate networks are a signal.

Dutch cosmetics giant Rituals discloses 'My Rituals' membership database breach

Rituals, the Amsterdam-headquartered cosmetics and home fragrance retailer with roughly 1,000 stores across Europe, the Middle East, and North America, disclosed on April 23 that attackers stole personal information from its 'My Rituals' membership database. The company has not yet said how many members were affected, only that 'personal information' was exfiltrated. No payment card data is reported to have been compromised. Rituals' membership program collects name, email, postal address, and purchase history to drive a loyalty and personalization program, so the exposed fields are ideal material for branded-lookalike phishing and physical-mail fraud referencing real past purchases. The company says it has informed Dutch data protection regulator Autoriteit Persoonsgegevens and is working with an external incident response firm. Rituals did not attribute the breach to a named group and has not described the initial access vector; the disclosure follows a wider April 2026 pattern in which loyalty and membership databases are repeatedly showing up as soft targets for extortion actors looking for PII-heavy datasets.

Check
If your staff or customers subscribe to Rituals memberships (especially in Europe where store density is highest) brief them that loyalty-themed phishing is likely to follow and add rituals.com lookalike domains to your brand monitoring watchlist.
Affected
Anyone with a 'My Rituals' loyalty membership. Businesses that have ever used Rituals for corporate gifting and stored staff contact details in the member account. Organizations with marketing-driven email collection at Rituals store counters for staff-appreciation programs.
Fix
Monitor phishing tags for any message claiming to be from Rituals or a Rituals partner. If your organization collected staff contact details through a Rituals-branded corporate gifting campaign, notify those staff proactively. Add rituals-[typo].com lookalikes to DMARC reporting and to your brand-monitoring ruleset. Rotate any password that was reused between a My Rituals account and another service. For European users, watch for follow-up notifications from Autoriteit Persoonsgegevens once the breach scope is confirmed, and keep the 90-day GDPR clock in mind for your own records of any shared data.