ACCORDING to Hexastrike, Silver Fox is widening its Asia-focused operation by deploying AtlasCross RAT and using typosquatted domains that impersonate trusted software brands to deliver the malware to Chinese-speaking users. The campaign includes eleven confirmed delivery domains impersonating Surfshark VPN, Signal, Telegram, Zoom, Microsoft Teams and others, with targets spanning VPN clients, encrypted messengers, video conferencing tools, cryptocurrency trackers and e-commerce apps.
AtlasCross RAT represents an evolution from Gh0st RAT derivatives, built with the PowerChell framework to host the .NET CLR inside the malware process and to bypass security protections; it can perform DLL injection into WeChat, RDP session hijacking, and TCP-level termination of security-product processes, among other capabilities.
The infection chain relies on bogus websites that prompt users to download ZIP installers dropping a trojanized Autodesk binary, which then decrypts a Gh0st RAT configuration to fetch a second-stage payload from bifa668[.]com on port 9899. The operation relies on a broad, multi-domain approach, with forged domains and domain impersonation designed to appear legitimate.
The campaign is part of Silver Fox’s broader, dual-track model that blends opportunistic criminal activity with more sophisticated tooling, as observed by security researchers.