Cybersecurity researchers have uncovered an active campaign targeting Chinese-speaking users with a previously undocumented remote access trojan named **AtlasCross RAT**. The attack leverages typosquatted domains mimicking trusted software brands to deliver the malware.  ### Campaign Details According to a report by **Hexastrike**, the operation targets VPN clients, encrypted messengers, video conferencing tools, cryptocurrency trackers, and e-commerce applications. Eleven confirmed delivery domains impersonate brands including **Surfshark VPN**, **Signal**, **Telegram**, **Zoom**, **Microsoft Teams**, and others. This activity has been attributed to **Silver Fox**, also tracked as SwimSnake, The Great Thief of Valley (or Valley Thief), UTG-Q-1000, and Void Arachne. The discovery of **AtlasCross RAT** marks an evolution in the threat actor's arsenal, moving beyond **Gh0st RAT** derivatives like ValleyRAT (aka Winos 4.0), Gh0stCringe, and HoldingHands RAT (aka Gh0stBins). ### Infection Chain The attack chain involves luring users to bogus websites that trick them into downloading ZIP archives. These archives contain an installer that drops a trojanized **Autodesk** binary alongside a legitimate decoy application. The malicious installer then launches a shellcode loader that decrypts an embedded **Gh0st RAT** configuration to extract command-and-control (C2) details. A second-stage shellcode payload is downloaded from "bifa668[.]com" over TCP port 9899, leading to the execution of **AtlasCross RAT** in memory. ### Domain Infrastructure Most of the fake websites were registered on October 27, 2025, suggesting a well-planned campaign. Confirmed malware delivery domains include: * app-zoom.com (Zoom) * eyy-eyy.com (unknown) * kefubao-pc.com (KeFuBao, a Chinese customer service software for e-commerce) * quickq-quickq.com (QuickQ VPN) * signal-signal.com (Signal) * telegrtam.com.cn (Telegram) * trezor-trezor.com (Trezor) * ultraviewer-cn.com (UltraViewer) * wwtalk-app.com (WangWang) * www-surfshark.com (Surfshark VPN) * www-teams.com (Microsoft Teams) ### Code-Signing Certificate Abuse All identified installer packages use the same stolen Extended Validation code-signing certificate issued to DUC FABULOUS CO.,LTD, a Vietnamese entity. The certificate's use in other malware campaigns suggests it is being widely reused within the cybercriminal ecosystem to bypass security checks.  ### AtlasCross RAT Capabilities **Hexastrike** reports that the RAT embeds the PowerChell framework, a native C/C++ PowerShell execution engine that hosts the .NET CLR directly within the malware process. It also disables AMSI, ETW, Constrained Language Mode, and ScriptBlock logging before executing any commands. C2 traffic is encrypted with ChaCha20 using per-packet random keys generated via hardware RNG. **AtlasCross RAT** can facilitate targeted DLL injection into WeChat, RDP session hijacking, and active TCP-level termination of connections from Chinese security products (e.g., 360 Safe, Huorong, Kingsoft, and QQ PC Manager), instead of using the Bring Your Own Vulnerable Driver (BYOVD) technique. It also supports file and shell operations and persistent scheduled task creation. ### Silver Fox's Evolving Tactics **Knownsec 404** characterizes **Silver Fox** as a highly active cyber threat, targeting managerial and finance staff via WeChat, QQ, phishing emails, and fake tool sites. They use a multi-pronged approach including typo-squatting, domain hijacking, and DNS manipulation to create a façade of legitimacy. Recent campaigns have transitioned from ValleyRAT delivered via malicious PDF attachments to abusing a misconfigured Chinese remote monitoring and management (RMM) tool called SyncFuture TSM, and deploying a Python-based stealer disguised as a WhatsApp application. These attacks have targeted entities in Japan, Malaysia, the Philippines, Thailand, Indonesia, Singapore, and India since at least December 2025. Some attacks used tax-themed lures to target Indian users with the Blackmoon malware. **Sekoia** notes that **Silver Fox** maintains a dual-track model, running broad, opportunistic campaigns alongside its more sophisticated operations by continuously evolving its tooling. Recent spear-phishing campaigns use lures related to tax compliance violations, salary adjustments, job position changes, and employee stock ownership plans to target Japanese manufacturers and other businesses with ValleyRAT. Once deployed, ValleyRAT enables remote control, information harvesting, user activity monitoring, and persistence. **ESET** highlights that this allows the attacker to burrow deeper into the network, steal confidential data, or prepare additional stages of an attack.