Chinese cybercrime group TA4922 expands cybercrime campaigns into Europe

A Chinese-speaking cybercrime group has expanded its operations into Europe, using previously undocumented malware and the Atlas backdoor in financially motivated attacks.

Tracked as TA4922, the group has historically targeted organisations in East Asia, but recent campaigns have focused on Germany, Italy, the UK and South Africa. According to Proofpoint, the threat actor is using highly localised phishing lures, including payroll notices, tax audits, VAT filings, invoices, compliance messages and HR communications, while also approaching victims through WhatsApp, LINE and Microsoft Teams.

Researchers say TA4922 has sharply increased its activity since March, showing a high tempo and varied set of objectives. Its toolkit now includes Atlas RAT, RomulusLoader, SilentRunLoader and ValleyRAT, with some indicators suggesting large language models may be helping accelerate malware development.

Although TA4922 appears financially motivated, its malware also has surveillance capabilities that could be used or sold to espionage groups.

UK launches new energy cybersecurity strategy

The UK government has published a new cybersecurity strategy for the energy sector, warning that the shift towards a more digital, connected and clean energy system is creating new risks for critical national infrastructure.

Published by the Department for Energy Security and Net Zero, the strategy sets out measures to strengthen resilience across Great Britain’s electricity and gas networks, supply chains and emerging energy technologies. A major focus is third-party risk, with government plans to develop supply chain security principles by the end of 2026 and improve its ability to assess energy sector supply chains by 2027.

The strategy also signals tougher expectations for operators, including a review of NIS regulatory thresholds and potential baseline cybersecurity requirements for licensed energy providers. DESNZ also plans to run a cross-industry cyber exercise by the end of 2026 to test responses to a sophisticated attack on Britain’s energy system.

AI-assisted ransomware toolkit accelerates EDR bypass development

Researchers have uncovered a cybercriminal ransomware toolkit that uses AI-assisted development to automate Active Directory discovery and rapidly test techniques for bypassing endpoint detection and response tools.

Sophos found the framework in a customer environment after alerts were triggered by suspicious payloads. The toolkit included Cobalt Strike profiles designed to disguise traffic as legitimate web requests, a Telegram-based command-and-control mechanism, Python scripts for shellcode injection, and a Cloudflare Worker used to obscure backend infrastructure.

Investigators found that tools including Cursor and Claude Opus agents were used to support coding, analysis, revisioning, documentation and testing. The framework also reviewed offensive security research, mapped techniques to MITRE ATT&CK, reproduced them in lab environments and tested payloads against Sophos, CrowdStrike and Microsoft EDR tools.

Sophos stressed that the workflow remained human-driven, with no evidence that AI operated independently in victim environments. However, the case shows how AI is shortening the gap between published research and criminal exploitation.

Norsk Tipping hit by consecutive DDoS attacks

Norwegian state-owned gaming operator Norsk Tipping has been hit by a second cyberattack in two days, causing slowdowns across its online services.

The company confirmed that Wednesday evening’s incident was a Distributed Denial-of-Service attack, the same type of attack that disrupted services the previous evening. Norsk Tipping said malicious traffic was flooding its systems, affecting websites and digital platforms, with KongKasino games among the services impacted during Tuesday’s incident.

Telecommunications provider Telenor has been helping the company filter out unwanted traffic and reduce disruption. Norsk Tipping said Wednesday’s attack appeared to be larger than the first, although the situation was brought under control later that night.

There is currently no confirmed information about who is behind the attacks or whether the two incidents are connected. While DDoS attacks typically do not involve data theft, they can cause major disruption by overwhelming digital services with traffic.

South Africa faces escalating DDoS threat

Recent DDoS attacks targeting South African internet infrastructure providers, hosting companies and connectivity services point to a wider escalation in threats against the country’s digital economy, according to researchers.

They warned that attackers are increasingly using multi-vector DDoS campaigns, combining several techniques in a single incident to overwhelm defences and maximise disruption. Recent attacks against hosting and connectivity providers show how threat actors are targeting upstream organisations where outages can cascade across thousands of downstream businesses and users.

For the second half of 2025 South Africa ranked fifth for the most targeted country in EMEA for DDoS attacks, with 171,812 recorded between July and December 2025. The country also ranked first globally for attacks against several sectors, including commercial banking, insurance agencies and computer systems design services.

Real-time visibility, intelligence-led mitigation and proactive preparedness are now essential for resilience.

If you are worried about any of the threats outlined in this bulletin or need help in determining what steps you should take to protect yourself from the most material threats facing your organisation, please contact your account manager, or alternatively Get in touch to find out how you can protect your organisation. 

The Threat Intel Roundup was prepared by Integrity360 summarising threat news as we observe it, current at the date of publishing. It should not be considered to be legal, consulting or any other professional advice. Any recommendations should be considered in the context of your own organisation. Integrity360 does not take any political stance in the information that we share. Moreover, the opinions expressed may not necessarily be the views of Integrity360.