{"id":443,"date":"2026-03-31T12:53:26","date_gmt":"2026-03-31T12:53:26","guid":{"rendered":"https:\/\/thedigitalfortress.us\/?p=443"},"modified":"2026-03-31T12:53:26","modified_gmt":"2026-03-31T12:53:26","slug":"silver-fox-expands-asia-cyber-campaign-with-atlascross-rat-and-fake-domains","status":"publish","type":"post","link":"https:\/\/thedigitalfortress.us\/?p=443","title":{"rendered":"Silver Fox Expands Asia Cyber Campaign with AtlasCross RAT and Fake Domains"},"content":{"rendered":"<div id=\"articlebody\">\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhgQmoJ2iwUTLR-DicdD0xa7_oYXgpGalL3L_-4LyX9YMApiotQC-omFlhdcQByUQat1YJdd7ElMqhp8FDYpoaljcvVmCFPXS4yRRh0_KnKa6FgqoEpiaKHJhoecKKap1MgoPWw1a6H7LfJrYo9m_YXqh3BaoES1tPEmuCbgO3snV34jtkrK7j8t4Qk30jj\/s1700-e365\/cyberattacks-asia.jpg\" style=\"display: block;  text-align: center; clear: left; float: left;\"><\/a><\/div>\n<p>Chinese-speaking users are the target of an active campaign that uses typosquatted domains impersonating trusted software brands to deliver a previously undocumented remote access trojan named <strong>AtlasCross RAT<\/strong>.<\/p>\n<p>\u00abThe operation covers VPN clients, encrypted messengers, video conferencing tools, cryptocurrency trackers, and e-commerce applications, with eleven confirmed delivery domains impersonating brands including Surfshark VPN, Signal, Telegram, Zoom, Microsoft Teams, and others,\u00bb Germany-based cybersecurity company Hexastrike <a href=\"https:\/\/hexastrike.com\/resources\/blog\/threat-intelligence\/trust-the-tunnel-get-the-trojan-silver-fox-delivers-atlascross-rat-via-weaponized-vpn-installers\/\" rel=\"noopener\" target=\"_blank\">said<\/a> in a report published last week.<\/p>\n<p>The activity has been attributed to a Chinese cybercrime group called Silver Fox, which is also tracked as SwimSnake, The Great Thief of Valley (or Valley Thief), UTG-Q-1000, and Void Arachne.<\/p>\n<p>The discovery of AtlasCross RAT represents an evolution of the threat actor&#8217;s arsenal from Gh0st RAT derivatives like ValleyRAT (aka Winos 4.0), Gh0stCringe, and HoldingHands RAT (aka Gh0stBins).<\/p>\n<p>The attack chains involve using bogus websites as lures to trick users into downloading ZIP archives containing an installer that drops a trojanized Autodesk binary along with the legitimate decoy application.<\/p>\n<p>The trojanized AutoDesk installer, in turn, launches a shellcode loader that decrypts an embedded Gh0st RAT configuration to extract the command-and-control (C2) details and then downloads a second-stage shellcode payload from \u00abbifa668[.]com\u00bb over TCP on port 9899, ultimately leading to the execution of AtlasCross RAT in memory.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/not-fast-enough-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhlXM830ruQd2xT6M7JNeNRjaFa1onD12WjSCHihTFMTzbyfT9h-irPmXy_h3E1HGSs6sdv7FTmnyNVTM5kmSb7BuUtZe8gKoTQt99P1sSzRcqqXpOJP6eoAOhR3DGb6qHx9kOZ_HBZUMmVnsnd0DM7QfUp81bgzTvvgLww6oqB-EhnDfWXH5pWCYhAsyLs\/s728-e100\/tl-d.jpg\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>The majority of fake websites were registered in a single day on October 27, 2025, indicating a deliberate approach behind the campaign. The list of confirmed malware delivery domains is listed below &#8211;<\/p>\n<p><a name=\"more\"\/><\/p>\n<ul>\n<li>app-zoom.com (Zoom)<\/li>\n<li>eyy-eyy.com (unknown)<\/li>\n<li>kefubao-pc.com (KeFuBao, e-commerce)<\/li>\n<li>quickq-quickq.com (QuickQ VPN)<\/li>\n<li>signal-signal.com (Signal)<\/li>\n<li>telegrtam.com.cn (Telegram)<\/li>\n<li>trezor-trezor.com (Trezor crypto wallet)<\/li>\n<li>ultraviewer-cn.com (UltraViewer)<\/li>\n<li>wwtalk-app.com (WangWang)<\/li>\n<li>www-surfshark.com (Surfshark VPN)<\/li>\n<li>www-teams.com (Microsoft Teams)<\/li>\n<\/ul>\n<p>All identified installer packages have been found to carry the same stolen Extended Validation code-signing certificate issued to DUC FABULOUS CO.,LTD, a Vietnamese entity registered in Hanoi. The fact that the same certificate has been <a href=\"https:\/\/www.elastic.co\/guide\/en\/security\/8.19\/prebuilt-rule-8-19-1-first-time-seen-commonly-abused-remote-access-tool-execution.html\" rel=\"noopener\" target=\"_blank\">used<\/a> in other unrelated malware campaigns has raised the possibility of widespread reuse within the cybercriminal ecosystem to lend malicious payloads a veneer of legitimacy and bypass security checks.<\/p>\n<div class=\"separator\" style=\"clear: both;\"><a href=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjALoDsXqj6_iytDdB9q6calZ7q0LogXTXeQqQtj4LViMHBIsezGtPmEkadT2Dn4NNKkFZ86VZ4k9QYcMktvXkWcBJ7iJ1XpSGBIxBx5wSwJ13g_4DCsXQChOfrqOx_WY2Gwao0erjafU3sZxTMqgD_2VZMwdrQ_oUeSMhcHbri0BLwaaxGQIjaKWLV1Gkq\/s1700-e365\/victim.png\" style=\"display: block;  text-align: center; clear: left; float: left;\"><img decoding=\"async\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjALoDsXqj6_iytDdB9q6calZ7q0LogXTXeQqQtj4LViMHBIsezGtPmEkadT2Dn4NNKkFZ86VZ4k9QYcMktvXkWcBJ7iJ1XpSGBIxBx5wSwJ13g_4DCsXQChOfrqOx_WY2Gwao0erjafU3sZxTMqgD_2VZMwdrQ_oUeSMhcHbri0BLwaaxGQIjaKWLV1Gkq\/s1700-e365\/victim.png\" alt=\"\" border=\"0\" data-original-height=\"446\" data-original-width=\"1024\"\/><\/a><\/div>\n<p>\u00abThe RAT embeds the PowerChell framework, a native C\/C++ PowerShell execution engine that hosts the .NET CLR directly within the malware process and disables AMSI, ETW, Constrained Language Mode, and ScriptBlock logging before executing any commands,\u00bb Hexastrike said. \u00abC2 traffic is encrypted with ChaCha20 using per-packet random keys generated via hardware RNG.\u00bb<\/p>\n<p>AtlasCross RAT comes with capabilities to facilitate targeted DLL injection into WeChat, RDP session hijacking, active TCP-level termination of connections from Chinese security products (e.g., 360 Safe, Huorong, Kingsoft, and QQ PC Manager) instead of using the Bring Your Own Vulnerable Driver (BYOVD) technique, file and shell operations, and persistent scheduled task creation.<\/p>\n<p>\u00abThe AtlasAgent\/AtlasCross RAT represents the current evolution of the group\u2019s tooling, building on Gh0st RAT protocol foundations consistent with the ValleyRAT and Winos 4.0 lineage,\u00bb the company added. \u00abThe addition of the PowerChell framework and a comprehensive security bypass chain marks a significant capability upgrade.\u00bb<\/p>\n<p>In a report published earlier this month, Chinese security vendor Knownsec 404 characterized Silver Fox as one of the \u00abmost active cyber threats\u00bb in recent years, targeting managerial and finance staff in organizations via WeChat, QQ, phishing emails, and fake tool sites to infect them with malware to enable remote control, data theft, and financial fraud.<\/p>\n<p>\u00abSilver Fox&#8217;s domain strategy hinges on highly mimicking official domains combined with regional labeling to suppress user suspicion,\u00bb the company <a href=\"https:\/\/medium.com\/@knownsec404team\/unmasking-silverfoxs-new-trends-decoding-evasion-tactics-domain-impersonation-and-8a7f03571186\" rel=\"noopener\" target=\"_blank\">said<\/a>. \u00abOperators use a multi-pronged approach \u2013 typo-squatting, domain hijacking, and DNS manipulation \u2013 to create a fa\u00e7ade of legitimacy.\u00bb<\/p>\n<p>Recent attack campaigns have also been observed transitioning from ValleyRAT delivered via malicious PDF attachments in phishing emails targeting Taiwanese organizations to abusing a legitimate but misconfigured Chinese remote monitoring and management (RMM) tool called SyncFuture TSM, and later to deploying a Python-based stealer disguised as a WhatsApp application.<\/p>\n<p>These attacks have targeted entities in Japan, Malaysia, the Philippines, Thailand, Indonesia, Singapore, and India since at least December 2025. Some aspects of the campaign were previously highlighted by eSentire in January 2026, with the attacks using tax-themed lures to target Indian users with the Blackmoon malware.<\/p>\n<div class=\"dog_two clear\">\n<div class=\"cf\"><a href=\"https:\/\/thehackernews.uk\/attack-stories-xmcyber-d\" rel=\"nofollow noopener sponsored\" target=\"_blank\"><img loading=\"lazy\" decoding=\"async\" class=\"lazyload\" alt=\"Cybersecurity\" src=\"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi10JhdzuuQKeU6vIJGPRAeffB5FYR9ajRiOfpp6hmgsP5GCmDcMdEKpiEEUZjkua9Y9R__l-63FpqNwAFgZzIdNR5lPIJcvvyBKIAu_nN7Z1TJoVUXrEvfQcWlJ0QhqMshOARvU3_B94NJNDbp-SiKAVfPFPibh_jcBpTfSPmCFxxJkPqL44kIFXL1WGEo\/s728-e100\/fs-d.png\" width=\"729\" height=\"91\"\/><\/a><\/div>\n<\/div>\n<p>Silver Fox&#8217;s use of ValleyRAT alongside RMM tools and custom stealer highlights a flexible arsenal that allows the adversary to rapidly adapt its infection chains and conduct advanced, strategic operations in tandem with profit-driven campaigns in South Asia, while maintaining long-term access to compromised systems.<\/p>\n<p>\u00abThe group maintains a dual-track model, running broad, opportunistic campaigns alongside its more sophisticated operations by continuously evolving its tooling,\u00bb French cybersecurity company Sekoia <a href=\"https:\/\/blog.sekoia.io\/silver-fox-the-only-tax-audit-where-the-fine-print-installs-malware\/\" rel=\"noopener\" target=\"_blank\">said<\/a>. \u00abThe second and third campaigns leaning on the RMM tool and Python stealer appear to align more closely with opportunistic cybercrime than APT operations.\u00bb<\/p>\n<p>As of last week, the hacking crew has also been attributed to an active spear-phishing campaign that uses persuasive phishing lures related to tax compliance violations, salary adjustments, job position changes, and employee stock ownership plans to single out Japanese manufacturers and other businesses and infect them with ValleyRAT.<\/p>\n<p>\u00abOnce deployed, ValleyRAT enables the actor to take remote control of the compromised machine, harvest sensitive information, monitor user activity, and maintain persistence in the targeted environment,\u00bb ESET <a href=\"https:\/\/www.welivesecurity.com\/en\/business-security\/cunning-predator-how-silver-fox-preys-japanese-firms-tax-season\/\" rel=\"noopener\" target=\"_blank\">said<\/a>. \u00abThis can allow the attacker to burrow deeper into the network, steal confidential data, or prepare additional stages of an attack.\u00bb<\/p>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Chinese-speaking users are the target of an active campaign that uses typosquatted domains impersonating trusted software brands to deliver a previously undocumented remote access trojan named AtlasCross RAT. \u00abThe operation&hellip;<\/p>\n","protected":false},"author":1,"featured_media":444,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[594,982,6,233,983,206,150,981,264,414],"class_list":["post-443","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-uncategorized","tag-asia","tag-atlascross","tag-campaign","tag-cyber","tag-domains","tag-expands","tag-fake","tag-fox","tag-rat","tag-silver"],"_links":{"self":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/443","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=443"}],"version-history":[{"count":0,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/posts\/443\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=\/wp\/v2\/media\/444"}],"wp:attachment":[{"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=443"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=443"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/thedigitalfortress.us\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=443"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}