Chinese-speaking users are the target of an active campaign that uses typosquatted domains to impersonate trusted software brands to distribute a previously undocumented remote access Trojan named AtlasCross RAT.
“The operation targeted VPN clients, encrypted messengers, video conferencing tools, cryptocurrency trackers, and e-commerce applications, with 11 identified distribution domains impersonating brands including Surfshark VPN, Signal, Telegram, Zoom, Microsoft Teams, and more,” Germany-based cybersecurity firm Hexastrike said in a report released last week.
This activity has been attributed to a Chinese cybercrime group called Silver Fox, which has also been tracked as SwimSnake, The Great Thief of Valley (or Valley Thief), UTG-Q-1000, and Void Arachne.
The discovery of AtlasCross RAT represents an evolution in the threat actor’s arsenal from Gh0st RAT derivatives such as ValleyRAT (aka Winos 4.0), Gh0stCringe, and HoldingHands RAT (aka Gh0stBins).
This attack chain involves using a fake website as bait to trick users into downloading a ZIP archive containing an installer that drops a trojanized Autodesk binary along with a legitimate decoy application.
The trojanized AutoDesk installer then launches a shellcode loader that decrypts the embedded Gh0st RAT configuration and extracts command and control (C2) details, and downloads a second stage shellcode payload from ‘bifa668′.[.]com’ over TCP to port 9899, which ultimately runs the AtlasCross RAT in memory.
Most of the fake websites were registered on a single day, October 27, 2025, indicating a deliberate approach behind this campaign. A list of confirmed malware distribution domains is below.
app-zoom.com (Zoom) eyy-eyy.com (unknown) kefubao-pc.com (KeFuBao, e-commerce) Quickq-quickq.com (QuickQ VPN) signal-signal.com (signal) telegrtam.com.cn (telegram) trezor-trezor.com (Trezor crypto wallet) Ultraviewer-cn.com (UltraViewer) wwtalk-app.com (WangWang) www-surfshark.com (Surfshark VPN) www-teams.com (Microsoft Teams)
All identified installer packages were found to contain the same stolen Extended Verification Code Signing Certificate issued to DUC FABULOUS CO.,LTD, a Vietnamese legal entity registered in Hanoi. The fact that the same certificate has been used in other unrelated malware campaigns increases the likelihood that it will be widely reused within the cybercriminal ecosystem to give malicious payloads an appearance of legitimacy and bypass security checks.
“The RAT incorporates the PowerChell framework, a native C/C++ PowerShell execution engine that hosts the .NET CLR directly within the malware process, disabling AMSI, ETW, constrained language mode, and ScriptBlock logging before executing commands,” Hexastrike said. “C2 traffic is encrypted with ChaCha20 using a per-packet random key generated by hardware RNG.”
AtlasCross RAT comes with features that facilitate target DLL injection into WeChat, RDP session hijacking, active TCP level termination of connections from Chinese security products (e.g. 360 Safe, Huorong, Kingsoft, QQ PC Manager), file and shell manipulation, and creation of persistent scheduled tasks instead of using Bring Your Own Vulnerable Driver (BYOVD) techniques.
“AtlasAgent/AtlasCross RAT represents the current evolution of the group’s tools, built on the Gh0st RAT protocol foundation, consistent with the ValleyRAT and Winos 4.0 lineages,” the company added. “The addition of the PowerChell framework and a comprehensive security bypass chain is a significant upgrade in functionality.”
In a report published earlier this month, Chinese security vendor Knownsec 404 characterized Silver Fox as one of the “most active cyber threats” in recent years, targeting organizational managers and financial personnel through WeChat, QQ, phishing emails, and fake tool sites, infecting them with malware and enabling remote control, data theft, and financial fraud.
“Silver Fox’s domain strategy relies on a high degree of imitation of official domains, combined with regional labels to reduce user suspicion,” the company said. “Operators use multifaceted approaches such as typosquatting, domain hijacking, and DNS manipulation to feign legitimacy.”
Recent attack campaigns have also been observed to shift from ValleyRAT delivered via malicious PDF attachments in phishing emails targeting organizations in Taiwan, to exploiting a genuine but misconfigured Chinese remote monitoring and management (RMM) tool called SyncFuture TSM, and then to deploying a Python-based stealer disguised as a WhatsApp application.
These attacks targeted companies in Japan, Malaysia, the Philippines, Thailand, Indonesia, Singapore, and India since at least December 2025. Some aspects of this campaign were previously covered by eSentire in January 2026, an attack that used tax-themed decoys to target users in India with Blackmoon malware.
Silver Fox’s use of ValleyRAT in conjunction with RMM tools and custom stealers highlights a flexible arsenal that allows attackers to quickly adapt infection chains and conduct sophisticated strategic operations alongside profit-driven campaigns in South Asia, while maintaining long-term access to compromised systems.
“The group maintains a dual-track model, continually evolving its tools to conduct widespread and opportunistic campaigns alongside more sophisticated operations,” French cybersecurity firm Sequoia said in a statement. “The second and third campaigns, utilizing RMM tools and Python stealers, appear to be more closely aligned with opportunistic cybercriminals than APT operations.”
As of last week, the hacker group is also believed to be involved in an active spear-phishing campaign to identify Japanese manufacturers and other companies and infect them with ValleyRAT, using persuasive phishing lures related to tax compliance violations, pay adjustments, job changes, and employee stock ownership plans.
“ValleyRAT enables attackers to remotely control compromised machines, collect sensitive information, monitor user activity, and maintain persistence in targeted environments,” ESET said. “This allows attackers to penetrate deeper into the network, steal sensitive data, or prepare additional stages of an attack.”
Source link
