Full Report
Chinese-speaking users are the target of an active campaign that uses typosquatted domains impersonating trusted software brands to deliver a previously undocumented remote access trojan named AtlasCross RAT. "The operation covers VPN clients, encrypted messengers, video conferencing tools, cryptocurrency trackers, and e-commerce applications, with eleven confirmed delivery domains impersonating
Analysis Summary
# Threat Actor: Silver Fox
## Attribution & Identity
Silver Fox is a Chinese-speaking cybercrime group.
- **Aliases:** SwimSnake, The Great Thief of Valley (or Valley Thief), UTG-Q-1000, and Void Arachne.
- **Associations:** Associated with the development and use of the "ValleyRAT" and "Winos 4.0" malware lineage.
## Activity Summary
In late 2025 and early 2026, Silver Fox launched an expansive campaign targeting Chinese-speaking users. The operation utilized eleven typosquatted domains impersonating popular software (VPNs, messengers, and crypto tools) to deliver a new, undocumented remote access trojan (RAT) dubbed **AtlasCross RAT**. The campaign is characterized by a high degree of preparation, with most domains registered on a single day (October 27, 2025).
## Tactics, Techniques & Procedures
- **Typosquatting/SEO Poisoning:** Creating fake websites that mimic official brands (Zoom, Telegram, etc.) to lure downloads.
- **Malicious Installers:** ZIP archives containing a trojanized AutoDesk binary alongside a decoy app.
- **Code Signing Abuse:** Use of stolen Extended Validation (EV) code-signing certificates (issued to DUC FABULOUS CO.,LTD) to bypass security checks.
- **Security Software Termination:** Active TCP-level termination of Chinese security products (360 Safe, Huorong, Kingsoft, QQ PC Manager) to avoid detection.
- **Evasion & Stealth:**
- Disabling AMSI, ETW, Constrained Language Mode, and ScriptBlock logging via the PowerChell framework.
- Executing AtlasCross RAT directly in memory.
- Encrypting C2 traffic with ChaCha20 using per-packet random keys.
- **Persistence:** Creation of scheduled tasks.
- **Post-Exploitation:** DLL injection into WeChat and RDP session hijacking.
## Targeting
- **Sectors:** Finance, E-commerce, Cryptocurrency, and general Corporate Management.
- **Geography:** Primarily Chinese-speaking users, with previous history targeting Indian users.
- **Victims:** Managerial and finance staff within targeted organizations; users of VPNs (Surfshark, QuickQ), Encrypted Messengers (Signal, Telegram), and Video Conferencing (Zoom, Teams).
## Tools & Infrastructure
- **Malware Families:**
- **AtlasCross RAT** (Primary new payload)
- **Gh0st RAT** (and derivatives: ValleyRAT, Gh0stCringe, HoldingHands RAT/Gh0stBins, Winos 4.0)
- **PowerChell** (Custom .NET/PowerShell execution engine)
- **Infrastructure (Defanged):**
- **Payload Delivery:** bifa668[.]com (Port 9899)
- **Typosquatted Domains:**
- app-zoom[.]com
- eyy-eyy[.]com
- kefubao-pc[.]com
- quickq-quickq[.]com
- signal-signal[.]com
- telegrtam[.]com[.]cn
- trezor-trezor[.]com
- ultraviewer-cn[.]com
- wwtalk-app[.]com
- www-surfshark[.]com
- www-teams[.]com
## Implications
Silver Fox has evolved from a standard cybercriminal group into a high-capability threat actor. The development of AtlasCross RAT—specifically the integration of the PowerChell framework and advanced security bypass chains—demonstrates a significant technical upgrade. Their ability to hijack RDP sessions and target specific Chinese security software suggests they are highly effective at operating within their regional "home" environment while expanding their reach across Asia.
## Mitigations
- **Domain Monitoring:** Implement monitoring for typosquatted or look-alike domains of frequently used corporate software.
- **Application Whitelisting:** Enforce strict application control policies to prevent the execution of undocumented or trojanized binaries.
- **Certificate Validation:** Monitor for and block software signed by compromised or suspicious certificates (e.g., DUC FABULOUS CO.,LTD).
- **EDR Hardening:** Ensure EDR solutions are configured to alert on the disabling of AMSI or ETW through non-standard processes.
- **User Education:** Train finance and management staff to verify download sources and avoid third-party software "portals" in favor of official vendor sites.