Silver Fox Expands Asia Cyber Campaign with AtlasCross RAT and Fake Domains

Silver Fox Expands Asia Cyber Campaign with AtlasCross RAT and Fake Domains Ravie LakshmananMar 31, 2026Malware / Encryption Chinese-speaking users are the target of an active campaign that uses typosquatted domains impersonating trusted software brands to deliver a previously undocumented remote access trojan named AtlasCross RAT. "The operation covers VPN clients, encrypted messengers, video conferencing tools, cryptocurrency trackers, and e-commerce applications, with eleven confirmed delivery domains impersonating brands including Surfshark VPN, Signal, Telegram, Zoom, Microsoft Teams, and others," Germany-based cybersecurity company Hexastrike said in a report published last week. The activity has been attributed to a Chinese cybercrime group called Silver Fox, which is also tracked as SwimSnake, The Great Thief of Valley (or Valley Thief), UTG-Q-1000, and Void Arachne. The discovery of AtlasCross RAT represents an evolution of the threat actor's arsenal from Gh0st RAT derivatives like ValleyRAT (aka Winos 4.0), Gh0stCringe, and HoldingHands RAT (aka Gh0stBins). The attack chains involve using bogus websites as lures to trick users into downloading ZIP archives containing an installer that drops a trojanized Autodesk binary along with the legitimate decoy application. The trojanized AutoDesk installer, in turn, launches a shellcode loader that decrypts an embedded Gh0st RAT configuration to extract the command-and-control (C2) details and then downloads a second-stage shellcode payload from "bifa668[.]com" over TCP on port 9899, ultimately leading to the execution of AtlasCross RAT in memory. The majority of fake websites were registered in a single day on October 27, 2025, indicating a deliberate approach behind the campaign. The list of confirmed malware delivery domains is listed below - app-zoom.com (Zoom) eyy-eyy.com (unknown) kefubao-pc.com (KeFuBao, a Chinese customer service software for e-commerce) quickq-quickq.com (QuickQ VPN) signal-signal.com (Signal) telegrtam.com.cn (Telegram) trezor-trezor.com (Trezor) ultraviewer-cn.com (UltraViewer) wwtalk-app.com (WangWang) www-surfshark.com (Surfshark VPN) www-teams.com (Microsoft Teams) All identified installer packages have been found to carry the same stolen Extended Validation code-signing certificate issued to DUC FABULOUS CO.,LTD, a Vietnamese entity registered in Hanoi. The fact that the same certificate has been used in other unrelated malware campaigns has raised the possibility of widespread reuse within the cybercriminal ecosystem to lend malicious payloads a veneer of legitimacy and bypass security checks. "The RAT embeds the PowerChell framework, a native C/C++ PowerShell execution engine that hosts the .NET CLR directly within the malware process and disables AMSI, ETW, Constrained Language Mode, and ScriptBlock logging before executing any commands," Hexastrike said. "C2 traffic is encrypted with ChaCha20 using per-packet random keys generated via hardware RNG." AtlasCross RAT comes with capabilities to facilitate targeted DLL injection into WeChat, RDP session hijacking, active TCP-level termination of connections from Chinese security products (e.g., 360 Safe, Huorong, Kingsoft, and QQ PC Manager) instead of using the Bring Your Own Vulnerable Driver (BYOVD) technique, file and shell operations, and persistent scheduled task creation. "The AtlasAgent/AtlasCross RAT represents the current evolution of the group’s tooling, building on Gh0st RAT protocol foundations consistent with the ValleyRAT and Winos 4.0 lineage," the company added. "The addition of the PowerChell framework and a comprehensive security bypass chain marks a significant capability upgrade." In a report published earlier this month, Chinese security vendor Knownsec 404 characterized Silver Fox as one of the "most active cyber threats" in recent years, targeting managerial and finance staff in organizations via WeChat, QQ, phishing emails, and fake tool sites to infect them with malware to enable remote control, data theft, and financial fraud. "Silver Fox's domain strategy hinges on highly mimicking official domains combined with regional labeling to suppress user suspicion," the company said. "Operators use a multi-pronged approach – typo-squatting, domain hijacking, and DNS manipulation – to create a façade of legitimacy." Recent attack campaigns have also been observed transitioning from ValleyRAT delivered via malicious PDF attachments in phishing emails targeting Taiwanese organizations to abusing a legitimate but misconfigured Chinese remote monitoring and management (RMM) tool called SyncFuture TSM, and later to deploying a Python-based stealer disguised as a WhatsApp application. These attacks have targeted entities in Japan, Malaysia, the Philippines, Thailand, Indonesia, Singapore, and India since at least December 2025. Some aspects of the campaign were previously highlighted by eSentire in January 2026, with the attacks using tax-themed lures to target Indian users with the Blackmoon malware. Silver Fox's use of ValleyRAT alongside RMM tools and custom stealer highlights a flexible arsenal that allows the adversary to rapidly adapt its infection chains and conduct advanced, strategic operations in tandem with profit-driven campaigns in South Asia, while maintaining long-term access to compromised systems. "The group maintains a dual-track model, running broad, opportunistic campaigns alongside its more sophisticated operations by continuously evolving its tooling," French cybersecurity company Sekoia said. "The second and third campaigns leaning on the RMM tool and Python stealer appear to align more closely with opportunistic cybercrime than APT operations." As of last week, the hacking crew has also been attributed to an active spear-phishing campaign that uses persuasive phishing lures related to tax compliance violations, salary adjustments, job position changes, and employee stock ownership plans to single out Japanese manufacturers and other businesses and infect them with ValleyRAT. "Once deployed, ValleyRAT enables the actor to take remote control of the compromised machine, harvest sensitive information, monitor user activity, and maintain persistence in the targeted environment," ESET said. "This can allow the attacker to burrow deeper into the network, steal confidential data, or prepare additional stages of an attack." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  Code Signing Certificate, Command and Control, cybersecurity, Domain Spoofing, encryption, Malware, Phishing, Remote Access Trojan Trending News TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files Apple Warns Older iPhones Vulnerable to Coruna, DarkSword Exploit Kit Attacks Google Adds 24-Hour Wait for Unverified App Sideloading to Reduce Malware and Scams China-Linked Red Menshen Uses Stealthy BPFDoor Implants to Spy via Telecom Networks FCC Bans New Foreign-Made Routers Over Supply Chain and Cyber Risk Concerns Coruna iOS Kit Reuses 2023 Triangulation Exploit Code in Recent Mass Attacks Citrix NetScaler Under Active Recon for CVE-2026-3055 (CVSS 9.3) Memory Overread Bug Trivy Security Scanner GitHub Actions Breached, 75 Tags Hijacked to Steal CI/CD Secrets FBI Warns Russian Hackers Target Signal, WhatsApp in Mass Phishing Attacks Citrix Urges Patching Critical NetScaler Flaw Allowing Unauthenticated Data Leaks TeamPCP Backdoors LiteLLM Versions 1.82.7–1.82.8 via Trivy CI/CD Compromise New Perseus Android Banking Malware Monitors Notes Apps to Extract Sensitive Data ⚡ Weekly Recap: CI/CD Backdoor, FBI Buys Location Data, WhatsApp Ditches Numbers and More 54 EDR Killers Use BYOVD to Exploit 35 Signed Vulnerable Drivers and Disable Security CISA Adds CVE-2025-53521 to KEV After Active F5 BIG-IP APM Exploitation ThreatsDay Bulletin: PQC Push, AI Vuln Hunting, Pirated Traps, Phishing Kits and 20 More Stories Load More ▼ Popular Resources [Guide] Learn How to Govern AI Agents With Proven Market Guidance [Demo] Discover SaaS Risks and Monitor Every App in Your Environment Detect AI-Driven Threats Faster With Full Network Visibility SANS SEC401: Get Hands On Skills to Detect and Respond to Cyber Threats