Silver Fox — Expanding Asia Cyber Campaign with AtlasCross RAT and Fake Domains
Executive Summary
Silver Fox — a Chinese-speaking threat actor — is intensifying targeted cyber campaigns against users and organizations across the Asia-Pacific region. According to a report by Germany-based Hexastrike published in late March 2026, the latest campaign deploys a previously undocumented remote access trojan named AtlasCross RAT, distributed through 11 typosquatted domains all registered on the same date — October 27, 2025. Concurrently, Sekoia (France) confirmed the group maintains a "dual-track" model: conducting APT-style espionage operations while continuing financially motivated cybercrime activities across South and Southeast Asia.
Threat Actor Profile
Silver Fox is a Chinese-origin cybercrime/APT group active since at least 2022. The group is tracked under multiple aliases:
| Alias | Source |
|---|---|
| Silver Fox | Hexastrike, Sekoia |
| Void Arachne | Trend Micro |
| UTG-Q-1000 | Chinese researchers |
| The Great Thief of Valley / Valley Thief | Knownsec 404 |
According to Knownsec 404, Silver Fox is categorized among the "most actively operating cyber threats" in recent years, primarily targeting senior management personnel and finance departments within enterprises. Since 2024, the group has pivoted toward more structured espionage-oriented campaigns alongside its traditional financial objectives.
Campaign Timeline (2025–2026): Three Attack Waves
Wave 1 — Taiwan Targeting (Early 2025)
Beginning at least January 2025, Silver Fox launched phishing campaigns impersonating Taiwan's National Taxation Bureau, timed precisely around the announcement of corporate tax audit lists. Malicious emails carried PDF attachments; when victims clicked embedded content, an infection chain was triggered, deploying ValleyRAT through DLL side-loading.
Detailed infection chain:
Phishing email → malicious PDF attachment impersonating Taiwan's Ministry of Finance
PDF contains hidden clickable region (
/Annot) leading to ZIP download from myqcloud infrastructureZIP contains
python311.dll(shellcode loader) +View10.exedecoy applicationExecutes ValleyRAT, configured to load from
C:\users\public\download\bb.jpgC2 connection:
9010.360sdgg[.]com
By April 2025, Fortinet confirmed the campaign had expanded to Japan.
Wave 2 — RMM Tool Abuse (Late 2025)
From mid-December 2025, Silver Fox shifted to distributing SyncFuture TSM — a legitimate Chinese remote management tool (RMM) that was deliberately misconfigured. Attackers exploited a configuration handling flaw to embed C2 addresses directly into the filename ([ipv4]ClientSetup.exe), thereby avoiding modification of the file's digital signature. This campaign expanded to Malaysia, Philippines, Thailand, Indonesia, Singapore, and India.
Wave 3 — Python Stealer Disguised as WhatsApp (Early 2026)
In February 2026, Silver Fox replaced the RMM tool with a custom Python stealer disguised as a WhatsApp application, targeting primarily Malaysia. This tool harvests credentials and sensitive documents, uploading them to C2 at xqwmwru[.]top, leaving behind distinctive artifacts:
C:\WhatsAppBackup\WhatsAppData.zip%TEMP%\whatsapp_backup.lockSpoofed User-Agent:
WhatsAppBackup/1.0
New Weapon: AtlasCross RAT
AtlasCross RAT represents Silver Fox's latest weapons evolution, discovered by Hexastrike in March 2026. It is a more sophisticated variant built on the Gh0st RAT protocol framework — the same lineage as ValleyRAT and Winos 4.0.
AtlasCross RAT Infection Chain
Victim visits a fake website → downloads a ZIP file
ZIP contains a trojanized AutoDesk installer + legitimate decoy application
Trojanized AutoDesk launches a shellcode loader → decrypts embedded Gh0st RAT configuration
Downloads second-stage shellcode from
bifa668[.]comover TCP port 9899Executes AtlasCross RAT directly in memory (in-memory execution)
AtlasCross RAT Technical Capabilities
| Feature | Description |
|---|---|
| PowerChell Framework | Native C/C++ PowerShell execution engine hosting .NET CLR inside the malware process |
| Security Disablement | Kills AMSI, ETW, Constrained Language Mode, and ScriptBlock Logging |
| C2 Encryption | ChaCha20 with random per-packet key, generated via hardware RNG |
| DLL Injection | Injects into WeChat process |
| RDP Hijacking | Hijacks active RDP sessions |
| AV/EDR Blocking | Actively drops TCP connections from 360 Safe, Huorong, Kingsoft, QQ PC Manager |
| Persistence | Creates Scheduled Task |
| File & Shell Ops | Remote file management and shell command execution |
Notably, instead of using the popular BYOVD (Bring Your Own Vulnerable Driver) technique, AtlasCross RAT opts to directly drop TCP connections to Chinese security software — a more subtle evasion method.
Distribution Infrastructure: 11 Typosquatted Domains
All 11 AtlasCross RAT distribution domains were registered on the same date, October 27, 2025, indicating a high degree of premeditated preparation. The impersonated brands include applications popular within Chinese-speaking communities:
| Fake Domain | Target Brand |
|---|---|
app-zoom.com |
Zoom |
signal-signal.com |
Signal |
telegrtam.com.cn |
Telegram |
www-surfshark.com |
Surfshark VPN |
www-teams.com |
Microsoft Teams |
trezor-trezor.com |
Trezor (crypto wallet) |
ultraviewer-cn.com |
UltraViewer |
quickq-quickq.com |
QuickQ VPN |
kefubao-pc.com |
KeFuBao (e-commerce) |
wwtalk-app.com |
WangWang |
eyy-eyy.com |
Unknown |
Critically, all installer packages carry a stolen Extended Validation (EV) Code-Signing Certificate issued to DUC FABULOUS CO., LTD — a Vietnamese company registered in Hanoi. This certificate has also appeared in unrelated malware campaigns, suggesting it is being shared across the criminal ecosystem to bypass digital signature verification mechanisms.
Target Scope & Geography
Silver Fox selectively targets by industry and role, focusing particularly on:
Finance officers, accountants, and compliance personnel within enterprises
Mid-to-senior level managers at Southeast Asian organizations
Japanese manufacturers targeted through spear-phishing lures related to taxes and payroll
Countries targeted from December 2025 onward include: Japan, Malaysia, Philippines, Thailand, Indonesia, Singapore, India, and Taiwan. India was targeted through income tax lures bundled with Blackmoon malware, documented by eSentire in January 2026.
TTPs Mapped to MITRE ATT&CK Framework
| Tactic | Technique | Description |
|---|---|---|
| Initial Access | T1566.002 – Spearphishing Link | Fake tax authority emails with embedded links |
| Initial Access | T1566.001 – Spearphishing Attachment | Malicious PDF attachments |
| Resource Development | T1583.001 – Typosquatting | 11 domains impersonating popular software |
| Execution | T1059.001 – PowerShell | PowerChell framework within AtlasCross RAT |
| Defense Evasion | T1562.001 – Disable Security Tools | Kills AMSI, ETW, drops Chinese AV connections |
| Defense Evasion | T1553.002 – Code Signing | Uses stolen EV certificate |
| Persistence | T1053.005 – Scheduled Task | Creates auto-start Scheduled Task |
| C2 | T1573 – Encrypted Channel | ChaCha20 per-packet encryption |
| Collection | T1056.001 – Keylogging | ValleyRAT keystroke capture |
| Lateral Movement | T1563.002 – RDP Hijacking | AtlasCross RAT hijacks active RDP sessions |
Indicators of Compromise (IoCs)
AtlasCross RAT Distribution Domains
app-zoom[.]com | signal-signal[.]com | telegrtam[.]com.cn
www-surfshark[.]com | www-teams[.]com | trezor-trezor[.]com
ultraviewer-cn[.]com | quickq-quickq[.]com | kefubao-pc[.]com
wwtalk-app[.]com | eyy-eyy[.]com
C2 Servers
bifa668[.]com (TCP:9899) — AtlasCross RAT stage 2
xqwmwru[.]top — Python stealer exfiltration endpoint
9010.360sdgg[.]com — ValleyRAT C2
Python Stealer Endpoints (Wave 3)
https://xqwmwru[.]top/upload_large.php
https://xqwmwru[.]top/upload_status.php
https://xqwmwru[.]top/admin/login.php
Phishing Domains (Sekoia Documented)
googlevip[.]icu | oytdwzz[.]shop | gov[.]incometax[.]click
megamovielord[.]com | primetechstocks[.]com | domainCt[.]com
(Full list of 40+ domains available in Sekoia IoC Annex)
Strategic Assessment
Silver Fox is executing a "dual-track" model — simultaneously functioning as an APT and a cybercrime group — a trend increasingly observed within China-nexus threat ecosystems. Sekoia assesses this may be a "moonlighting" arrangement: a criminal group selling initial access to state-affiliated entities, or being outsourced by a state actor to conduct initial intrusion phases.
The continued use of ValleyRAT even after its builder was leaked in 2023, combined with the active development of kernel-mode rootkit plugins, demonstrates that Silver Fox possesses considerable technical resources and has not been disrupted by source code exposure. The emergence of AtlasCross RAT — featuring a dedicated PowerChell framework and ChaCha20 per-packet encryption — is clear evidence of sustained and continuous weapons development capability.
Defensive Recommendations
For SOC / Blue Teams:
Monitor outbound connections to domains matching the pattern
[brand]-[brand].comorwww-[brand].comDeploy sandbox analysis for all PDFs and archive files (ZIP/RAR) prior to delivery to end users
Alert on unfamiliar EV code-signing certificates, especially from low-profile or unknown entities
Hunt for PowerShell processes spawned from non-standard parent processes (particularly where AMSI is disabled)
For System Administrators:
Block TCP connections to
bifa668[.]comandxqwmwru[.]topat the perimeterAudit Scheduled Tasks on all Windows endpoints for anomalous entries
Restrict the use of unapproved RMM tools (particularly SyncFuture TSM) via application allowlisting
Configure WDAC (Windows Defender Application Control) to prevent DLL injection into the WeChat process
For End Users:
Always download software exclusively from official vendor websites — carefully verify the full domain name before downloading
Be suspicious of emails referencing tax audits, salary adjustments, or stock option grants that contain attachments or links
Immediately report to IT any email requesting the content be "forwarded to a finance team member"
Conclusion
Silver Fox is one of the most dynamic and adaptable threat groups currently operating across Asia. With continuous weapons iteration (ValleyRAT → HoldingHands → RMM abuse → Python stealer → AtlasCross RAT), diversified attack vectors, and geographic expansion from China/Taiwan to all of Southeast Asia, the group poses a serious risk to organizations in the region — particularly those in financial services, manufacturing, and organizations relying on popular communication applications. Continuous tracking of this group and ongoing IoC updates are mandatory requirements for any Threat Intelligence program operating within the APAC region.
References
Silver Fox Expands Asia Cyber Campaign with AtlasCross RAT and Fake Domains
Silver Fox’s Dual-Pronged Strategy: Dissecting the ValleyRAT Distribution Campaign
Silver Fox: The Only Tax Audit Where the Fine Print Installs Malware
A cunning predator: How Silver Fox preys on Japanese firms this tax season
