Ethical Hacking News
Silver Fox Expands Asia Cyber Campaign: A Sophisticated Threat Actor Utilizing Advanced Malware and Deception Tactics
The Silver Fox group has been identified as the mastermind behind a recent campaign that utilizes the highly sophisticated remote access trojan (RAT) called AtlasCross RAT. This advanced malware is being distributed through fake domains, posing as trusted software brands such as Surfshark VPN, Signal, Telegram, Zoom, Microsoft Teams, and others. To stay ahead of this threat actor, it is essential to remain informed about the latest developments in the cybersecurity landscape.
Silver Fox, a Chinese-speaking cybercrime group, has launched an extensive campaign using the AtlasCross RAT malware. The malware is being distributed through fake domains, posing as trusted software brands. The Silver Fox group has been identified as the mastermind behind the campaign, linked to entities called SwimSnake and UTG-Q-1000. The AtlasCross RAT represents a significant evolution in the group's malware tools, featuring a PowerChell framework for enhanced stealth capabilities. The PowerChell framework allows the malware to disable certain security features before executing commands. C2 traffic is encrypted using ChaCha20 with per-packet random keys generated via hardware RNG. AtlasCross RAT can facilitate targeted DLL injection, RDP session hijacking, and other attacks on its targets. The attack chains involve using bogus websites as lures to trick users into downloading malware.
Silver Fox, a Chinese-speaking cybercrime group known for its cunning tactics and ability to evade detection, has recently expanded its operations in Asia by launching an extensive campaign that utilizes the highly sophisticated remote access trojan (RAT) called AtlasCross RAT. This advanced malware is being distributed through fake domains, posing as trusted software brands such as Surfshark VPN, Signal, Telegram, Zoom, Microsoft Teams, and others.
According to a report published by Hexastrike, a Germany-based cybersecurity company, the Silver Fox group has been identified as the mastermind behind this campaign. The report states that the group's activities have been tracked back to an entity called SwimSnake, also known as The Great Thief of Valley or Valley Thief. This alias is further corroborated by other designations used by the group, including UTG-Q-1000 and Void Arachne.
The AtlasCross RAT represents a significant evolution in the Silver Fox group's arsenal of malware tools. Previous attacks by the group have utilized variants of the Gh0st RAT derivatives such as ValleyRAT (aka Winos 4.0), Gh0stCringe, and HoldingHands RAT (aka Gh0stBins). However, the addition of the PowerChell framework to AtlasCross RAT marks a significant upgrade in terms of capabilities.
The PowerChell framework is a native C/C++ PowerShell execution engine that hosts the .NET CLR directly within the malware process. This allows it to disable certain security features such as AMSI (Application Security Models Interface), ETW (Event Tracing for Windows), Constrained Language Mode, and ScriptBlock logging before executing any commands. The use of this framework enhances the stealth capabilities of AtlasCross RAT.
Furthermore, the report highlights that C2 traffic is encrypted using ChaCha20 with per-packet random keys generated via hardware RNG. This ensures that even if the command-and-control (C2) server is compromised, the attacker will be unable to decrypt and execute any malicious commands transmitted by the malware.
One notable feature of AtlasCross RAT is its ability to facilitate targeted DLL injection into WeChat, RDP session hijacking, active TCP-level termination of connections from Chinese security products, file and shell operations, and persistent scheduled task creation. These capabilities position Silver Fox as a highly versatile threat actor capable of conducting a wide range of attacks on their targets.
The discovery of AtlasCross RAT also sheds light on the tactics employed by Silver Fox in its campaign. According to Hexastrike, the attack chains involve using bogus websites as lures to trick users into downloading ZIP archives containing an installer that drops a trojanized Autodesk binary along with the legitimate decoy application. The malicious installer subsequently launches a shellcode loader that decrypts an embedded Gh0st RAT configuration to extract C2 details and then downloads a second-stage shellcode payload from "bifa668[.]com" over TCP on port 9899, ultimately leading to the execution of AtlasCross RAT in memory.
The majority of fake websites used by Silver Fox were registered on October 27, 2025, indicating a deliberate approach behind the campaign. The list of confirmed malware delivery domains includes app-zoom.com (Zoom), eyy-eyy.com (unknown), kefubao-pc.com (KeFuBao), quickq-quickq.com (QuickQ VPN), signal-signal.com (Signal), telegrtam.com.cn (Telegram), trezor-trezor.com (Trezor), ultraviewer-cn.com (UltraViewer), wwtalk-app.com (WangWang), www-surfshark.com (Surfshark VPN), and www-teams.com (Microsoft Teams).
The use of the same stolen Extended Validation code-signing certificate issued to DUC FABULOUS CO.,LTD, a Vietnamese entity registered in Hanoi, has raised concerns about potential widespread reuse within the cybercriminal ecosystem. This practice enables malicious payloads to acquire a veneer of legitimacy and bypass security checks.
In light of these findings, it is clear that Silver Fox represents a sophisticated threat actor capable of employing advanced malware tools and deception tactics to evade detection and successfully conduct their attacks. As such, cybersecurity professionals must remain vigilant and continually update their defenses to prevent falling prey to the group's cunning tactics.
Related Information:
https://www.ethicalhackingnews.com/articles/Silver-Fox-Expands-Asia-Cyber-Campaign-A-Sophisticated-Threat-Actor-Utilizing-Advanced-Malware-and-Deception-Tactics-ehn.shtml
https://thehackernews.com/2026/03/silver-fox-expands-asia-cyber-campaign.html
https://cybersixt.com/a/CSCWcbWE4gsFgWUSKdqCti
Published: Tue Mar 31 08:21:21 2026 by llama3.2 3B Q4_K_M
