|
||
|
||
TA4922, a highly sophisticated cybercriminal group who rapidly changed tactics and malware, recently used multiple malware, including Atlas RAT, RomulusLoader, SilentRunLoader, and ValleyRAT (Winos4.0), among others, in their campaigns. While they often launched local attacks in nearby regions, they branched out to more countries in Europe and Africa.
Proofpoint published their analysis of the threat and identified seven network IoCs made up of five IP addresses, a domain, and a subdomain in the process. After extracting a unique domain from the subdomain IoC, we collated eight IoCs comprising one subdomain, two domains, and five IP addresses for our own investigation.
Our in-depth IoC investigation led to these discoveries:
A sample of the additional artifacts obtained from our analysis is available for download from our website.
We began our study by looking more closely at the subdomain IoC.
We queried the sole subdomain IoC ws[.]ztts88[.]cyou on the WhoisXML API MCP Server and discovered that its apex domain has the hallmarks of malicious infrastructure, likely a C&C endpoint malware use. Our tools advised users not to visit or interact with it using any browser. And if encountered in logs or traffic, treat any host that contacted it as potentially compromised. Blocking access to it at the DNS or firewall level may also be warranted.
Next, we dove deeper into the two domain IoCs.
First, we queried the domain IoCs on WHOIS API and discovered that:

They were administered by different registrars.

They were also registered in different countries.

We then queried the domain IoCs on DNS Chronicle API and learned that only one recorded historical domain-to-IP resolutions. The domain IoC nwphotoblog[.]com posted 268 resolutions from 7 February 2017 and 17 May 2026.
After that, we zoomed in on the five IP IoCs.
Sample network data from the IASC revealed that 36 unique IP addresses that could belong to victims under 12 distinct ASNs communicated with two of the IP IoCs between 26 December 2025 and 12 April 2026.

The results of our Bulk IP Geolocation Lookup for the IP IoCs showed that:

They were administered by four different ISPs.

We then queried the IP IoCs on DNS Chronicle API and learned that three posted 186 historical IP-to-domain resolutions over time. The IP IoC 18[.]139[.]83[.]110, for instance, recorded 114 resolutions between 4 January 2019 and 30 April 2026.
To date, only two of the three IP IoCs with historical resolutions recorded communications in 2026.
We kicked off our hunt for new possibly connected artifacts by querying the domain IoCs on WHOIS History API. We discovered nwphotoblog[.]com had eight unique email addresses in its historical records. Further examination revealed that four were public email addresses.
The results of our Reverse WHOIS API queries for the domain IoCs led to the discovery of 2,779 unique email-connected domains after those already dubbed as IoCs were weeded out.
This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.
Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.
Sponsored byVerisign
Sponsored byDNIB.com
Sponsored byVerisign
Sponsored byRadix
Sponsored byCSC
Sponsored byWhoisXML API
Sponsored byIPv4.Global