The advanced persistent threat group, Silver Fox, also known by aliases such as Void Arachne and SwimSnake, has been actively engaging in a sophisticated malware campaign targeting Chinese-speaking individuals. This campaign leverages the AtlasCross Remote Access Trojan (RAT) to infiltrate systems and exploit stolen Extended Validation (EV) code-signing certificates.
Utilizing Typosquatted Domains
Security researcher Maurice Fielenbach from Hexastrike uncovered that Silver Fox employs typosquatted domains, mimicking well-known software brands like Surfshark, Signal, and Zoom. These fake domains are crucial to their strategy, as they use stolen EV certificates to bypass security measures and establish persistence within enterprise networks.
The malicious actors have created an elaborate infrastructure to host convincing landing pages that resemble authentic software sites. Victims downloading software from these sites receive a ZIP archive containing a cleverly disguised installer, which includes a trojanized component designed to evade detection.
Advanced Malware Techniques
The attackers have enhanced their strategy by signing their payloads with a stolen EV certificate from a Vietnamese company, “DUC FABULOUS CO.,LTD,” valid until May 2027. This outer wrapper, once executed, drops a compromised Autodesk component alongside legitimate applications to reduce suspicion among users.
The malicious loader dynamically resolves its APIs, effectively avoiding static analysis. It then extracts a hidden configuration that retrieves a second-stage payload from a command-and-control server, ensuring a fileless execution of the AtlasCross RAT.
AtlasCross RAT and PowerChell Framework
Central to this operation is the AtlasCross RAT, which utilizes a custom PowerShell execution engine called PowerChell. This framework integrates the .NET Common Language Runtime directly within the malware, allowing it to run PowerShell scripts without triggering typical security alerts.
To maintain its stealth, PowerChell disables Windows defenses and uses encryption for communication with the C2 infrastructure. The RAT also disrupts connections from Chinese security products to prevent the reception of updates, further solidifying its presence on infected systems.
Silver Fox’s evolution from process termination to network-level disruption marks their growth as a sophisticated threat actor. Security teams are advised to monitor for unusual processes and audit scheduled tasks to detect signs of PowerChell activity.
For detailed indicators of compromise, including domains and certificates used in this campaign, cybersecurity teams should remain vigilant and proactively defend against these evolving threats.
