A sophisticated cybercrime group known as Silver Fox, also tracked as SwimSnake, Valley Thief, UTG-Q-1000, and Void Arachne, has escalated its operations in Asia using a previously undocumented remote access trojan (RAT) named AtlasCross RAT. The campaign specifically targets Chinese-speaking users by leveraging typosquatted domains impersonating trusted software brands.
Attack Vectors and Targeted Applications
The group is distributing malware through fake websites mimicking popular applications such as:
- VPN clients (Surfshark, QuickQ)
- Encrypted messaging tools (Signal, Telegram)
- Video conferencing platforms (Zoom, Microsoft Teams)
- Cryptocurrency wallets (Trezor)
- Customer service software (KeFuBao)
- Remote desktop and e-commerce applications
Confirmed typosquatted domains include app-zoom.com, signal-signal.com, www-surfshark.com, trezor-trezor.com, and others. Most of these domains were registered on a single day, October 27, 2025, indicating a deliberate, coordinated strategy.
Malware Delivery Method
AtlasCross RAT is delivered via ZIP archives containing a trojanized AutoDesk installer alongside a legitimate decoy application. Upon execution, the installer launches a shellcode loader that decrypts an embedded Gh0st RAT configuration to obtain command-and-control (C2) information and fetch a second-stage shellcode payload from bifa668[.]com over TCP port 9899. The final AtlasCross RAT runs entirely in memory to evade detection.
Advanced RAT Capabilities
The malware incorporates the PowerChell framework, a native C/C++ PowerShell engine with the following security bypass features:
- Disables AMSI, ETW, ScriptBlock logging, and Constrained Language Mode
- Encrypts C2 traffic using ChaCha20 with per-packet random keys
- Injects DLLs into applications like WeChat
- Hijacks RDP sessions and terminates processes from Chinese security software (360 Safe, Huorong, Kingsoft, QQ PC Manager)
- Executes file and shell operations
- Establishes persistent scheduled tasks
Evolution from Previous Tooling
AtlasCross RAT represents the latest evolution of Silver Fox’s malware arsenal, following derivatives of Gh0st RAT such as ValleyRAT, Gh0stCringe, and HoldingHands RAT. The addition of PowerChell and a sophisticated security bypass chain significantly increases the operational capabilities of the threat actor.
Regional Impact and Strategic Campaigns
Since December 2025, Silver Fox has targeted entities in Japan, Malaysia, the Philippines, Thailand, Indonesia, Singapore, and India. Earlier campaigns included:
- ValleyRAT via phishing emails and malicious PDF attachments
- Exploitation of misconfigured Chinese RMM tools like SyncFuture TSM
- Deployment of Python-based stealers disguised as WhatsApp applications
The campaigns focus on managerial and finance staff, using lures related to tax compliance, salary adjustments, job changes, and employee stock plans.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
