Cyber Security

Silver Fox Expands Asian Cyber ​​Campaign with AtlasCross RAT and Fake Domains

Photo of pleasuremandarya@gmail.com pleasuremandarya@gmail.com Send an email 2 weeks ago
0 4 3 minutes read
Silver Fox Expands Asian Cyber ​​Campaign with AtlasCross RAT and Fake Domains

Chinese-speaking users are the targets of an active campaign that uses domains masquerading as trusted software brands to deliver remote access trojans with no known track record. AtlasCross RAT.

“The project includes VPN clients, encrypted messengers, video conferencing tools, cryptocurrency trackers, and e-commerce applications, with eleven verified delivery domains that make products including Surfshark VPN, Signal, Telegram, Zoom, Microsoft Teams, and others,” said German cybersecurity company Hexastrike in a report published last week.

The operation was allegedly carried out by a Chinese cybercriminal group called Silver Fox, which also goes by the names SwimSnake, The Great Thief of Valley (or Valley Thief), UTG-Q-1000, and Void Arachne.

The AtlasCross RAT discovery represents the evolution of threat actor weapons from Gh0st RAT derivatives such as ValleyRAT (aka Winos 4.0), Gh0stCringe, and HoldingHands RAT (aka Gh0stBins).

Attack chains include using fake websites as bait to lure users into downloading ZIP archives containing an installer that drops the Autodesk Trojanized binary and a legitimate phishing application.

The AutoDesk installer trojan, in turn, introduces a shellcode loader that decrypts the embedded Gh0st RAT to extract command and control information (C2) and downloads a second-stage shellcode loader from “bifa668[.]com” over TCP on port 9899, ​​eventually leading to the use of the AtlasCross RAT in memory.

Most of the fake websites were registered in one day on October 27, 2025, which shows the deliberate approach of the campaign. The list of confirmed malware delivery domains is listed below –

  • app-zoom.com (Zoom)
  • eyy-eyy.com (unknown)
  • kefubao-pc.com (KeFuBao, e-commerce)
  • quickq-quickq.com (QuickQ VPN)
  • signal-signal.com (Signal)
  • telegrtam.com.cn (Telegram)
  • trezor-trezor.com (Trezor crypto wallet)
  • ultraviewer-cn.com (UltraViewer)
  • wwtalk-app.com (WangWang)
  • www-surfshark.com (Surfshark VPN)
  • www-teams.com (Microsoft Teams)

All identified installer packages were found to carry a stolen Extended Validation code signing certificate issued by DUC FABULOUS CO.,LTD, a Vietnamese entity registered in Hanoi. The fact that the same certificate has been used in other malware campaigns has raised the possibility of widespread reuse within the cybercriminal ecosystem to lend malicious payloads a legitimate form and pass security checks.

“The RAT embeds the PowerShell framework, a C/C++ PowerShell generation engine that hosts the .NET CLR directly inside the malware process and disables AMSI, ETW, Constrained Language Mode, and ScriptBlock logging before issuing any commands,” Hexastrike said. “C2 traffic is encrypted with ChaCha20 using per-packet random keys generated with hardware RNG.”

AtlasCross RAT comes with the ability to facilitate targeted DLL injection into WeChat, RDP session hijacking, effective TCP-level termination of communications from Chinese security products (e.g., 360 Safe, Huorong, Kingsoft, and QQ PC Manager) instead of using the Bring Your Own Vulnerable Driver (BYOVD) operating process schedule and schedule creation of each file,

“AtlasAgent/AtlasCross RAT represents the current evolution of the team’s tools, building on the foundations of the Gh0st RAT protocol with the ValleyRAT lineage and Winos 4.0,” the company added. “The addition of the PowerShell framework and the extensive security pass-through chain represent a significant improvement in capabilities.”

In a report published earlier this month, Chinese security vendor Knownsec 404 characterized Silver Fox as one of the “most effective cyber threats” in recent years, targeting managers and financial staff in organizations through WeChat, QQ, phishing emails, and fake tool sites to infect them with malware for remote control, data theft, and financial fraud.

“Silver Fox’s domain strategy relies on heavily mimicking legitimate domains combined with regional labeling to reduce user suspicion,” the company said. “Users use a multi-pronged approach – typo-squatting, domain hijacking, and DNS manipulation – to create a legitimate facade.”

Recent attack campaigns have also been seen to evolve from ValleyRAT being delivered via malicious PDF attachments to phishing emails targeting Taiwanese organizations to abuse a legitimate but poorly developed Chinese monitoring and management (RMM) tool called SyncFuture TSM, and later sending a Python-based hack disguised as a WhatsApp app.

The attack has targeted businesses in Japan, Malaysia, the Philippines, Thailand, Indonesia, Singapore, and India since at least December 2025. Other aspects of the campaign were previously highlighted by eSentire in January 2026, with an attack using tax threads to target users in India with the Blackmoon malware.

Silver Fox’s use of ValleyRAT alongside RMM and custom stealth tools highlights a flexible arsenal that allows the adversary to quickly adapt its infection chains and conduct advanced, strategic operations relevant to profit-driven campaigns in South Asia, while maintaining long-term access to vulnerable systems.

“The group maintains a two-pronged model, running extensive campaigns, opening up opportunities and its high-level operations by continuing to develop its tools,” said French cyber security company Sekoia. “The second and third campaigns that rely on the RMM tool and the Python hijacker appear to be more in line with opportunistic cybercrime than APT operations.”

As of last week, the hacking team has also been implicated in an active phishing campaign that uses phishing lures related to tax violations, wage manipulation, job title changes, and employee stock ownership schemes to target Japanese manufacturers and other businesses and infect them with ValleyRAT.

“Once deployed, ValleyRAT enables an actor to take remote control of a compromised machine, harvest sensitive information, monitor user activity, and maintain persistence at a target location,” ESET said. “This could allow an attacker to penetrate deeper into the network, steal confidential data, or prepare additional stages of attack.”

Photo of pleasuremandarya@gmail.com pleasuremandarya@gmail.com Send an email 2 weeks ago
0 4 3 minutes read
Photo of pleasuremandarya@gmail.com

pleasuremandarya@gmail.com

Related Articles

Patch Tuesday, April 2026 Edition – Krebs on Security

Patch Tuesday, April 2026 Edition – Krebs on Security

3 hours ago
4 questions to ask before issuing an MDR

4 questions to ask before issuing an MDR

4 hours ago
The PI Protocol 23 network targets Wall Street

The PI Protocol 23 network targets Wall Street

4 hours ago
Satochip Announces Bridge Funding as It Prepares for US Push on Open Hardware Wallets

Satochip Announces Bridge Funding as It Prepares for US Push on Open Hardware Wallets

7 hours ago

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button