Silver Fox Abuses Stolen EV Certificates in AtlasCross RAT Campaign
Key Takeaways The Chinese APT group Silver Fox (also known as Void Arachne or SwimSnake) is deploying the AtlasCross RAT in a new campaign. Attackers are using stolen Extended Validation (EV)...
Key Takeaways
- The Chinese APT group Silver Fox (also known as Void Arachne or SwimSnake) is deploying the AtlasCross RAT in a new campaign.
- Attackers are using stolen Extended Validation (EV) code-signing certificates to sign malicious payloads, impersonating legitimate software like Surfshark, Signal, and Zoom.
- The AtlasCross RAT includes a custom PowerShell engine, PowerChell, designed to evade detection by disabling AMSI, ETW, and script logging.
- The campaign primarily targets Chinese-speaking users and professionals, with observed activity between November 2025 and March 2026.
A sophisticated campaign orchestrated by the Chinese-affiliated advanced persistent threat (APT) group Silver Fox, also identified as Void Arachne and SwimSnake, is actively deploying the AtlasCross RAT. This operation specifically targets Chinese-speaking individuals and professionals.
Table Of Content
According to security researcher Maurice Fielenbach of Hexastrike, the threat actors are leveraging typosquatted domains that mimic well-known software brands such as Surfshark, Signal, and Zoom. They are employing stolen Extended Validation (EV) code-signing certificates to sign their malicious payloads, enabling them to bypass automated security checks and establish persistent access within targeted enterprise networks.
The attackers have established an extensive infrastructure, featuring meticulously crafted landing pages designed to impersonate legitimate application vendors. When unsuspecting victims attempt to download software, they receive a ZIP archive containing a triple-nested Setup Factory installer.
To lend an air of legitimacy, the payloads are signed with a stolen EV certificate issued to “DUC FABULOUS CO.,LTD,” a Vietnamese entity. This certificate remains valid until May 2027.

The outer layer of this installer drops a trojanized Autodesk component, named Schools.exe, alongside legitimate decoy applications like UltraViewer, intended to reduce user suspicion.
Upon execution, the trojanized loader dynamically resolves its application programming interfaces (APIs) by traversing the Process Environment Block (PEB) and employing ROR13 hashing, a technique that effectively bypasses static analysis.

It then extracts an embedded Gh0st RAT-style configuration and retrieves a second-stage shellcode payload from its command-and-control (C2) server via raw TCP communication, as Maurice Fielenbach detailed. A reflective loader then maps the AtlasCross RAT into memory, achieving fileless execution by not writing the final payload to disk.
AtlasCross RAT and the PowerChell Framework
Central to this operation is the AtlasCross RAT, which incorporates a bespoke native C/C++ PowerShell execution engine known as PowerChell. This framework directly hosts the .NET Common Language Runtime (CLR) within the malware’s process, allowing it to execute PowerShell scripts without initiating a powershell.exe process.
PowerChell systematically neutralizes host defenses by patching memory to disable the Antimalware Scan Interface (AMSI), deactivating Event Tracing for Windows (ETW), circumventing Constrained Language Mode (CLM), and completely suppressing ScriptBlock logging.
The RAT maintains encrypted communication with its C2 infrastructure using ChaCha20, employing per-packet random keys generated by hardware random number generators.
To ensure long-term operation, AtlasCross actively terminates TCP connections initiated by popular Chinese security products, including 360 Total Security and Huorong. This subtle disruption prevents these tools from receiving cloud-based signature updates without overtly terminating their host processes.
Furthermore, the malware performs targeted DLL injection into WeChat (specifically Wxfun.dll) to harvest data and utilizes a bundled script that leverages tscon.exe to hijack active Remote Desktop Protocol (RDP) sessions.
Indicators of Compromise (IOCs)
Defense teams should proactively search for the following infrastructure and payload indicators, which were observed between November 2025 and March 2026.
| Indicator Type | Value / Details | Description |
|---|---|---|
| Stolen EV Certificate | 2C1D12F8BBE0827400A8440AF74FFFA8DCC8097C |
DUC FABULOUS CO.,LTD (Valid through May 2027) |
| C2 Domain & IP | bifa668.com / 61.111.250[.]139 |
Primary raw TCP C2 communication (Port 9899) |
| Malicious Network Beacon | 53 46 75 63 6b 00 00 00 |
Hex value for “SFuck” sent during C2 handshake |
| Typosquatted Domain | www-surfshark[.]com |
Surfshark VPN lure delivery domain |
| Typosquatted Domain | signal-signal[.]com |
Signal encrypted messenger lure delivery domain |
| Staging Directory | C:Program Files (x86)GitMndsetup |
Dropped payload and decoy application folder |
Silver Fox’s evolution from driver-based process termination to network-level security disruption signifies a rapidly maturing threat actor.
What You Should Do
- Proactively monitor for non-standard processes loading
System.Management.Automation.dll, which could indicate PowerChell execution. - Audit scheduled task creation, particularly under the
MicrosoftWindowsAppIDpath, for suspicious entries. - Implement robust email and web filtering to block access to known typosquatted domains and prevent the delivery of malicious archives.
- Educate users about the risks of downloading software from unofficial sources and the importance of verifying digital signatures.
- Maintain up-to-date antivirus and endpoint detection and response (EDR) solutions, ensuring they are configured for maximum protection against fileless and memory-resident threats.
- Consider network segmentation to limit the lateral movement of malware in case of a successful compromise.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.