One of the world's most diverse, least-focused cybercrime groups is enlarging its footprint beyond East Asia.
June 4, 2026
A Chinese cybercrime operation has expanded significantly, targeting far more countries with an even wider variety of tactics, techniques, and procedures (TTPs) than just about any other active threat group.
TA4922 first showed up on Proofpoint's radar in the spring of 2025. For the first year of its observed operations, it was more focused and straightforward. It targeted Japanese organizations with tax-themed phishing emails, or impersonations of real employees. It sometimes tried to get targets to communicate outside of their normal work emails, and used ValleyRAT to gain remote access to their systems.
In the past two months, though, its operational tempo increased dramatically. It's now targeting a wide variety of countries, using a significantly broader array of tactics and techniques than is typical of threat actors. In a blog post this week, Proofpoint called TA4922 "one of the most unique actors" it tracks.
