Chinese-speaking users are the target of an active campaign that uses typosquatted domains impersonating trusted software brands to deliver a previously undocumented remote access trojan named AtlasCross RAT.
“The operation covers VPN clients, encrypted messengers, video conferencing tools, cryptocurrency trackers, and e-commerce applications, with eleven confirmed delivery domains impersonating brands including Surfshark VPN, Signal, Telegram, Zoom, Microsoft Teams, and others,” Germany-based cybersecurity company Hexastrike said in a report published last week.
The activity has been attributed to a Chinese cybercrime group called Silver Fox, which is also tracked as SwimSnake, The Great Thief of Valley (or Valley Thief), UTG-Q-1000, and Void Arachne.
The discovery of AtlasCross RAT represents an evolution of the threat actor’s arsenal from Gh0st RAT derivatives like ValleyRAT (aka Winos 4.0), Gh0stCringe, and HoldingHands RAT (aka Gh0stBins).
The attack chains involve using bogus websites as lures to trick users into downloading ZIP archives containing an installer that drops a trojanized Autodesk binary along with the legitimate decoy application.
The trojanized AutoDesk installer, in turn, launches a shellcode loader that decrypts an embedded Gh0st RAT configuration to extract the command-and-control (C2) details and then downloads a second-stage shellcode payload from “bifa668[.]com” over TCP on port 9899, ultimately leading to the execution of AtlasCross RAT in memory.
The majority of fake websites were registered in a single day on October 27, 2025, indicating a deliberate approach behind the campaign. The list of confirmed malware delivery domains is listed below –
- app-zoom.com (Zoom)
- eyy-eyy.com (unknown)
- kefubao-pc.com (KeFuBao, e-commerce)
- quickq-quickq.com (QuickQ VPN)
- signal-signal.com (Signal)
- telegrtam.com.cn (Telegram)
- trezor-trezor.com (Trezor crypto wallet)
- ultraviewer-cn.com (UltraViewer)
- wwtalk-app.com (WangWang)
- www-surfshark.com (Surfshark VPN)
- www-teams.com (Microsoft Teams)
All identified installer packages have been found to carry the same stolen Extended Validation code-signing certificate issued to DUC FABULOUS CO.,LTD, a Vietnamese entity registered in Hanoi. The fact that the same certificate has been used in other unrelated malware campaigns has raised the possibility of widespread reuse within the cybercriminal ecosystem to lend malicious payloads a veneer of legitimacy and bypass security checks.
“The RAT embeds the PowerChell framework, a native C/C++ PowerShell execution engine that hosts the .NET CLR directly within the malware process and disables AMSI, ETW, Constrained Language Mode, and ScriptBlock logging before executing any commands,” Hexastrike said. “C2 traffic is encrypted with ChaCha20 using per-packet random keys generated via hardware RNG.”
AtlasCross RAT comes with capabilities to facilitate targeted DLL injection into WeChat, RDP session hijacking, active TCP-level termination of connections from Chinese security products (e.g., 360 Safe, Huorong, Kingsoft, and QQ PC Manager) instead of using the Bring Your Own Vulnerable Driver (BYOVD) technique, file and shell operations, and persistent scheduled task creation.
“The AtlasAgent/AtlasCross RAT represents the current evolution of the group’s tooling, building on Gh0st RAT protocol foundations consistent with the ValleyRAT and Winos 4.0 lineage,” the company added. “The addition of the PowerChell framework and a comprehensive security bypass chain marks a significant capability upgrade.”
In a report published earlier this month, Chinese security vendor Knownsec 404 characterized Silver Fox as one of the “most active cyber threats” in recent years, targeting managerial and finance staff in organizations via WeChat, QQ, phishing emails, and fake tool sites to infect them with malware to enable remote control, data theft, and financial fraud.
“Silver Fox’s domain strategy hinges on highly mimicking official domains combined with regional labeling to suppress user suspicion,” the company said. “Operators use a multi-pronged approach – typo-squatting, domain hijacking, and DNS manipulation – to create a façade of legitimacy.”
Recent attack campaigns have also been observed transitioning from ValleyRAT delivered via malicious PDF attachments in phishing emails targeting Taiwanese organizations to abusing a legitimate but misconfigured Chinese remote monitoring and management (RMM) tool called SyncFuture TSM, and later to deploying a Python-based stealer disguised as a WhatsApp application.
These attacks have targeted entities in Japan, Malaysia, the Philippines, Thailand, Indonesia, Singapore, and India since at least December 2025. Some aspects of the campaign were previously highlighted by eSentire in January 2026, with the attacks using tax-themed lures to target Indian users with the Blackmoon malware.
Silver Fox’s use of ValleyRAT alongside RMM tools and custom stealer highlights a flexible arsenal that allows the adversary to rapidly adapt its infection chains and conduct advanced, strategic operations in tandem with profit-driven campaigns in South Asia, while maintaining long-term access to compromised systems.
“The group maintains a dual-track model, running broad, opportunistic campaigns alongside its more sophisticated operations by continuously evolving its tooling,” French cybersecurity company Sekoia said. “The second and third campaigns leaning on the RMM tool and Python stealer appear to align more closely with opportunistic cybercrime than APT operations.”
As of last week, the hacking crew has also been attributed to an active spear-phishing campaign that uses persuasive phishing lures related to tax compliance violations, salary adjustments, job position changes, and employee stock ownership plans to single out Japanese manufacturers and other businesses and infect them with ValleyRAT.
“Once deployed, ValleyRAT enables the actor to take remote control of the compromised machine, harvest sensitive information, monitor user activity, and maintain persistence in the targeted environment,” ESET said. “This can allow the attacker to burrow deeper into the network, steal confidential data, or prepare additional stages of an attack.”
