Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
CISA Warns of Microsoft SharePoint Server Code Execution Vulnerability Exploited in Attacks
July 2, 2026
Chrome API Flaw Exposes Android Photos to Ransomware
July 2, 2026
WinRAR 7.23 Patches Critical Heap Overflow Vulnerability CVE-2024-XXXX
July 2, 2026
Home/CyberSecurity News/Silver Fox Abuses Stolen EV Certificates in AtlasCross RAT Campaign
CyberSecurity News

Silver Fox Abuses Stolen EV Certificates in AtlasCross RAT Campaign

Key Takeaways The Chinese APT group Silver Fox (also known as Void Arachne or SwimSnake) is deploying the AtlasCross RAT in a new campaign. Attackers are using stolen Extended Validation (EV)...

Jennifer sherman
Jennifer sherman
March 26, 2026 4 Min Read
40 0

Key Takeaways

  • The Chinese APT group Silver Fox (also known as Void Arachne or SwimSnake) is deploying the AtlasCross RAT in a new campaign.
  • Attackers are using stolen Extended Validation (EV) code-signing certificates to sign malicious payloads, impersonating legitimate software like Surfshark, Signal, and Zoom.
  • The AtlasCross RAT includes a custom PowerShell engine, PowerChell, designed to evade detection by disabling AMSI, ETW, and script logging.
  • The campaign primarily targets Chinese-speaking users and professionals, with observed activity between November 2025 and March 2026.

A sophisticated campaign orchestrated by the Chinese-affiliated advanced persistent threat (APT) group Silver Fox, also identified as Void Arachne and SwimSnake, is actively deploying the AtlasCross RAT. This operation specifically targets Chinese-speaking individuals and professionals.

Table Of Content

  • Key Takeaways
  • AtlasCross RAT and the PowerChell Framework
  • Indicators of Compromise (IOCs)
  • What You Should Do

According to security researcher Maurice Fielenbach of Hexastrike, the threat actors are leveraging typosquatted domains that mimic well-known software brands such as Surfshark, Signal, and Zoom. They are employing stolen Extended Validation (EV) code-signing certificates to sign their malicious payloads, enabling them to bypass automated security checks and establish persistent access within targeted enterprise networks.

The attackers have established an extensive infrastructure, featuring meticulously crafted landing pages designed to impersonate legitimate application vendors. When unsuspecting victims attempt to download software, they receive a ZIP archive containing a triple-nested Setup Factory installer.

To lend an air of legitimacy, the payloads are signed with a stolen EV certificate issued to “DUC FABULOUS CO.,LTD,” a Vietnamese entity. This certificate remains valid until May 2027.

Attack Flow (Source:Hexastrike)

The outer layer of this installer drops a trojanized Autodesk component, named Schools.exe, alongside legitimate decoy applications like UltraViewer, intended to reduce user suspicion.

Upon execution, the trojanized loader dynamically resolves its application programming interfaces (APIs) by traversing the Process Environment Block (PEB) and employing ROR13 hashing, a technique that effectively bypasses static analysis.

It then extracts an embedded Gh0st RAT-style configuration and retrieves a second-stage shellcode payload from its command-and-control (C2) server via raw TCP communication, as Maurice Fielenbach detailed. A reflective loader then maps the AtlasCross RAT into memory, achieving fileless execution by not writing the final payload to disk.

AtlasCross RAT and the PowerChell Framework

Central to this operation is the AtlasCross RAT, which incorporates a bespoke native C/C++ PowerShell execution engine known as PowerChell. This framework directly hosts the .NET Common Language Runtime (CLR) within the malware’s process, allowing it to execute PowerShell scripts without initiating a powershell.exe process.

PowerChell systematically neutralizes host defenses by patching memory to disable the Antimalware Scan Interface (AMSI), deactivating Event Tracing for Windows (ETW), circumventing Constrained Language Mode (CLM), and completely suppressing ScriptBlock logging.

The RAT maintains encrypted communication with its C2 infrastructure using ChaCha20, employing per-packet random keys generated by hardware random number generators.

To ensure long-term operation, AtlasCross actively terminates TCP connections initiated by popular Chinese security products, including 360 Total Security and Huorong. This subtle disruption prevents these tools from receiving cloud-based signature updates without overtly terminating their host processes.

Furthermore, the malware performs targeted DLL injection into WeChat (specifically Wxfun.dll) to harvest data and utilizes a bundled script that leverages tscon.exe to hijack active Remote Desktop Protocol (RDP) sessions.

Indicators of Compromise (IOCs)

Defense teams should proactively search for the following infrastructure and payload indicators, which were observed between November 2025 and March 2026.

Indicator Type Value / Details Description
Stolen EV Certificate 2C1D12F8BBE0827400A8440AF74FFFA8DCC8097C DUC FABULOUS CO.,LTD (Valid through May 2027)
C2 Domain & IP bifa668.com / 61.111.250[.]139 Primary raw TCP C2 communication (Port 9899)
Malicious Network Beacon 53 46 75 63 6b 00 00 00 Hex value for “SFuck” sent during C2 handshake
Typosquatted Domain www-surfshark[.]com Surfshark VPN lure delivery domain
Typosquatted Domain signal-signal[.]com Signal encrypted messenger lure delivery domain
Staging Directory C:Program Files (x86)GitMndsetup Dropped payload and decoy application folder

Silver Fox’s evolution from driver-based process termination to network-level security disruption signifies a rapidly maturing threat actor.

What You Should Do

  • Proactively monitor for non-standard processes loading System.Management.Automation.dll, which could indicate PowerChell execution.
  • Audit scheduled task creation, particularly under the MicrosoftWindowsAppID path, for suspicious entries.
  • Implement robust email and web filtering to block access to known typosquatted domains and prevent the delivery of malicious archives.
  • Educate users about the risks of downloading software from unofficial sources and the importance of verifying digital signatures.
  • Maintain up-to-date antivirus and endpoint detection and response (EDR) solutions, ensuring they are configured for maximum protection against fileless and memory-resident threats.
  • Consider network segmentation to limit the lateral movement of malware in case of a successful compromise.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackMalwarePatchSecurityThreat

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

Critical Synology DiskStation Manager Bug Lets Attackers Run Commands

Next Post

Fake Screenshots Infect Web3 Support Staff with Multi-Stage Malware

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical Microsoft Flaws Let Attackers Gain Privileges, Steal Data
July 2, 2026
FortiBleed Vulnerability Exploited by INC and Lynx Ransomware to Steal Passwords
July 2, 2026
WhatsApp Username Reservations Raise Security Concerns for 2 Billion Users
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us