AtlasCross RAT

A large-scale cyberattack campaign is actively targeting Chinese-speaking users through typosquatted domains that imitate trusted software brands. These deceptive websites are designed to distribute a previously undocumented remote access trojan known as AtlasCross RAT. The campaign leverages user trust in widely used applications, including VPN clients, encrypted messaging platforms, video conferencing tools, cryptocurrency trackers, and e-commerce software.

The infrastructure includes eleven confirmed malicious domains impersonating well-known services such as Surfshark VPN, Signal, Telegram, Zoom, and Microsoft Teams. This strategic impersonation increases the likelihood of successful infections by exploiting brand familiarity.

Threat Actor Profile: The Silver Fox Collective

The campaign has been attributed to a prolific Chinese cybercrime group known as Silver Fox. This group operates under multiple aliases, including SwimSnake, The Great Thief of Valley (Valley Thief), UTG-Q-1000, and Void Arachne. Security researchers consider this group one of the most active cyber threats in recent years, particularly due to its persistent targeting of managerial and financial personnel within organizations.

Silver Fox employs diverse infection vectors such as messaging platforms, phishing emails, and counterfeit software distribution sites. The group's objectives include remote system control, sensitive data exfiltration, and financial fraud.

Evolution of Malware: From Gh0st RAT to AtlasCross

The emergence of AtlasCross RAT marks a significant advancement in Silver Fox's malware toolkit. Earlier operations relied heavily on variants derived from Gh0st RAT, including ValleyRAT (also known as Winos 4.0), Gh0stCringe, and HoldingHands RAT (Gh0stBins). AtlasCross represents a more sophisticated evolution, incorporating enhanced stealth, execution, and persistence mechanisms.

Infection Chain Breakdown: From Lure to Execution

The attack chain begins with fraudulent websites that trick users into downloading ZIP archives. These archives contain installers that deploy both a legitimate decoy application and a trojanized Autodesk binary. The malicious installer initiates a shellcode loader that decrypts an embedded configuration derived from Gh0st RAT.

This process extracts Command-and-Control (C2) details and retrieves a second-stage payload from the domain 'bifa668.com' over TCP port 9899. The final stage results in the in-memory execution of AtlasCross RAT, significantly reducing detection by traditional security tools.

Malicious Infrastructure: Weaponized Domains

The campaign demonstrates a coordinated infrastructure setup, with most malicious domains registered on October 27, 2025, indicating deliberate planning. Confirmed domains used for malware delivery include:

app-zoom.com
eyy-eyy.com
kefubao-pc.com
quickq-quickq.com
signal-signal.com
telegrtam.com.cn
trezor-trezor.com
ultraviewer-cn.com
wwtalk-app.com
www-surfshark.com
www-teams.com

These domains closely mimic legitimate services, often incorporating subtle typographical variations or regional identifiers to avoid suspicion.

Abuse of Trust: Stolen Code-Signing Certificates

All identified malicious installers are signed using the same stolen Extended Validation (EV) code-signing certificate issued to DUC FABULOUS CO., LTD, a company based in Hanoi, Vietnam. The reuse of this certificate across multiple unrelated malware campaigns suggests widespread circulation within the cybercriminal ecosystem. This tactic enhances the perceived legitimacy of malicious binaries and helps bypass security defenses.

Advanced Capabilities: Inside AtlasCross RAT

AtlasCross RAT introduces a powerful set of capabilities designed for stealth, persistence, and control. It integrates the PowerChell framework, a native C/C++ PowerShell execution engine that embeds the .NET Common Language Runtime (CLR) directly into the malware process.

Before executing commands, the malware disables key security mechanisms such as AMSI, ETW, Constrained Language Mode, and ScriptBlock logging. Communication with command-and-control servers is encrypted using ChaCha20 with per-packet random keys generated via hardware-based random number generation.

Key functionalities include:

• Targeted DLL injection into WeChat
• Remote Desktop Protocol (RDP) session hijacking
• TCP-level termination of connections from Chinese security tools such as 360 Safe, Huorong, Kingsoft, and QQ PC Manager
• File system manipulation and shell command execution
• Persistence through scheduled task creation

Operational Strategy: Deception at Scale

Silver Fox employs a multi-layered domain strategy to maintain credibility and evade detection. This includes typosquatting, domain hijacking, and DNS manipulation, often combined with region-specific naming conventions to reduce user suspicion. The group's ability to convincingly replicate legitimate services plays a critical role in the campaign's effectiveness.

Expanding Attack Vectors Across Asia

Since at least December 2025, the group has expanded its operations across multiple countries, including Japan, Malaysia, the Philippines, Thailand, Indonesia, Singapore, and India. Attack methods have evolved over time, transitioning from phishing emails with malicious PDF attachments to the abuse of legitimate but misconfigured remote monitoring and management tools such as SyncFuture TSM.

Subsequent campaigns have also deployed a Python-based information stealer disguised as a WhatsApp application. Earlier activity in January 2026 involved tax-themed lures targeting Indian users with Blackmoon malware.

Flexible Arsenal: Adaptive Cybercrime Operations

Silver Fox demonstrates a high degree of operational flexibility by combining multiple malware families and techniques. The use of ValleyRAT alongside RMM tools and custom Python-based stealers enables rapid adaptation of infection chains. This versatility supports both large-scale opportunistic campaigns and more targeted, strategic attacks.

The group operates a dual-track model, balancing widespread attacks with more sophisticated operations designed for long-term system access and deeper network infiltration.

Spear-Phishing Precision: Targeting Corporate Victims

In addition to broad campaigns, Silver Fox conducts targeted spear-phishing attacks aimed at specific industries, particularly Japanese manufacturers. These attacks use highly convincing lures related to tax compliance, salary adjustments, job changes, and employee stock ownership plans.

Once deployed, ValleyRAT enables attackers to:

• Gain full remote control of infected systems
• Harvest sensitive and financial data
• Monitor user activity in real time
• Maintain persistence within the network

This level of access allows threat actors to escalate attacks, exfiltrate confidential information, and prepare for further exploitation stages within compromised environments.