A large-scale malware campaign is distributing a new remote access trojan, AtlasCross RAT, by impersonating popular VPN, messaging, video conferencing and cryptocurrency services. According to German security firm Hexastrike, the operation primarily targets Chinese-speaking users through highly convincing look‑alike domains that mimic brands such as Surfshark VPN, Signal, Telegram, Zoom and Microsoft Teams.
Typosquatted domains and fake installers as the initial attack vector
The campaign relies on typosquatting — registering domains that are visually or phonetically similar to legitimate ones. Many Chinese-speaking users interact less frequently with English‑language interfaces, which increases the likelihood of mistaking fraudulent domains for genuine vendor sites.
Victims are lured to these fake portals and prompted to download supposed “updates” or “installers” packaged as ZIP archives. Inside, a bundled installer deploys both the legitimate application (used as a decoy) and a trojanized Autodesk binary. Because the expected VPN or messenger appears to install correctly, most users see nothing suspicious, delaying detection and response.
Hexastrike notes that the majority of phishing domains used in this campaign were registered on the same day, 27 October 2025. This synchronized registration pattern points to a well‑planned, centrally coordinated operation rather than isolated, opportunistic attacks.
All identified installers are signed with a stolen Extended Validation (EV) code-signing certificate issued to Vietnamese company DUC FABULOUS CO., LTD (Hanoi). EV certificates normally provide higher assurance and are trusted by users and some security tools. However, this certificate has been observed in multiple unrelated malware campaigns, underscoring that digital signatures alone are no longer a reliable indicator of legitimacy.
AtlasCross RAT infection chain and Gh0st RAT lineage
The modified Autodesk installer launches an embedded shellcode loader. This loader decrypts a configuration compatible with the long‑standing Gh0st RAT family, extracts the command‑and‑control (C2) parameters and connects to bifa668[.]com over TCP port 9899.
In the second stage, additional shellcode is fetched from the C2 and executed directly in the memory of the compromised process. AtlasCross RAT is then unpacked and run filelessly, leaving minimal forensic artifacts on disk and complicating traditional signature‑based detection.
Stealth, PowerShell abuse and defense evasion
A defining feature of AtlasCross RAT is its integrated “PowerChell” platform — a native C/C++ engine that allows the malware to run PowerShell and .NET code inside its own process. This avoids spawning the standard powershell.exe process, which many endpoint detection and response (EDR) tools monitor closely.
Before executing commands, AtlasCross RAT systematically disables multiple Windows security mechanisms: AMSI (Antimalware Scan Interface), ETW (Event Tracing for Windows) logging, Constrained Language Mode and ScriptBlock logging. By neutralizing these controls, the trojan can run arbitrary scripts and payloads with significantly reduced visibility in standard monitoring tools.
Network communications with the C2 server are encrypted using ChaCha20, with a unique key generated for every packet via a hardware random number generator. This approach obstructs passive traffic analysis and makes decryption of captured sessions highly impractical.
Capabilities: WeChat spying, RDP hijacking and AV disruption
AtlasCross RAT’s functionality reflects clear targeting of Chinese user ecosystems. Its capabilities include:
• Precise DLL injection into WeChat processes, enabling interception of chats and session data.
• Remote Desktop Protocol (RDP) session hijacking to silently take over active user sessions.
• Active termination of TCP connections associated with major Chinese security products, including 360 Safe, Huorong, Kingsoft and QQ PC Manager, instead of using vulnerable drivers (BYOVD) for kernel‑level tampering.
• Classic remote access trojan features: file operations, remote shell, and execution of arbitrary commands.
• Creation of persistent scheduled tasks to maintain long‑term access.
Hexastrike assesses AtlasCross RAT as an evolutionary step in the Gh0st RAT‑based toolchain, extending the capabilities seen in ValleyRAT (Winos 4.0), Gh0stCringe and HoldingHands RAT, with a pronounced focus on stealth and defense evasion.
Silver Fox threat group: tactics, tools and regional expansion
The campaign is attributed to the Chinese cybercriminal group Silver Fox, also tracked as SwimSnake, The Great Thief of Valley (Valley Thief), UTG‑Q‑1000 and Void Arachne. Chinese vendor Knownsec 404 describes Silver Fox as one of the most active threat actors in recent years, frequently targeting managerial and financial staff.
Silver Fox uses a multichannel approach to initial access: malicious messages in WeChat and QQ, traditional phishing emails, and now fraudulent software download sites such as those used to deliver AtlasCross RAT. The group’s objectives include long‑term remote control, credential theft, sensitive data exfiltration and financial fraud.
Their domain strategy is built on maximum visual similarity to official brands, often combined with regional top‑level domains (for example, .cn, .tw, .jp). In addition to typosquatting, Silver Fox has leveraged domain takeovers and DNS manipulation to reinforce the appearance of legitimacy.
Historically, the group distributed ValleyRAT via malicious PDF attachments aimed at organizations in Taiwan, abused misconfigured Chinese remote monitoring and management software SyncFuture TSM, and deployed a Python‑based information stealer masquerading as a WhatsApp application.
Since late 2025, activity attributed to Silver Fox has been observed in Japan, Malaysia, the Philippines, Thailand, Indonesia, Singapore and India. Security company eSentire has reported tax‑themed phishing campaigns using the Blackmoon banking malware against Indian users, while French firm Sekoia highlights a “two‑track” model combining targeted intrusions with broader, opportunistic operations driven by RMM tools and custom stealers.
Research by ESET links recent spear‑phishing waves against Japanese manufacturers to Silver Fox, using themes such as alleged tax violations, salary adjustments, promotions and equity participation programs to deliver ValleyRAT. Once established, the malware enables systematic surveillance, data theft and preparation for further stages of compromise.
Defending against AtlasCross RAT and similar remote access trojans
The AtlasCross RAT campaign illustrates how quickly sophisticated tools and techniques aimed at Chinese‑speaking users can be adapted for other languages and regions. Organizations and individuals can reduce exposure by combining technical controls with user awareness.
Key defensive measures include downloading software only from verified official domains, rigorously checking URLs and the publisher of digital signatures, and treating EV code‑signing certificates as one signal among many, not a guarantee of safety.
Enterprises should tightly restrict and monitor the use of remote monitoring and management (RMM) tools, strengthen logging and analytics around PowerShell and script activity, and inspect network traffic for unusual destinations and ports, including TCP/9899. Deploying modern EDR solutions with behavioral detection and regularly training staff to recognize phishing attempts remain critical layers of defense.
The emergence of AtlasCross RAT as a stealthy, Gh0st‑derived toolkit in the hands of the Silver Fox group underscores the need for continuous threat intelligence, proactive monitoring and swift incident response. Organizations that invest in early detection, disciplined asset management and ongoing user education will be better positioned to prevent long‑term compromise by this and future generations of remote access trojans.
