SYMBOLCOMMON_NAMEaka. SYNONYMS
win.silent_run_loader (Back to overview)

SilentRunLoader

Actor(s): TA4922

According to Proofpoint, SilentRunLoader is a Python-based stealer/loader used by TA4922 to quietly download and execute a next-stage payload. It is designed to harvest Chrome data and other browser artifacts and exfiltrate them to a C2 server. The Python code is relatively straightforward and often appears as vibe-coded, with rapid development of new Python-based tooling observed across campaigns. This reflects the actor’s use of Python-based malware to quickly deploy new payloads.

References
2026-06-03ProofpointProofpoint Threat Research Team
TA4922: The Suspected Chinese Crime Group is Going Global
Atlas RAT RomulusLoader SilentRunLoader TA4922

There is no Yara-Signature yet.