Silver Fox Expands Asia Cyber Campaign with AtlasCross RAT and Fake Domains

Hold up — Silver Fox is back, and they're leveling up their Asia cyber campaign with some nasty new tricks. They're deploying AtlasCross RAT through 11 fake domains registered on October 27, 2025. This isn't just another malware drop — it's a full-on encrypted command-and-control (C2) operation designed for persistence and stealth.

The AtlasCross RAT is spreading via these spoofed domains, which were all registered on the same day — October 27, 2025. This coordinated move suggests a well-planned attack infrastructure. The RAT itself uses encrypted communications for C2, making it harder to detect and intercept. It's built for long-term access, with persistence mechanisms that keep it alive even after reboots or security scans.

This campaign is specifically targeting organizations across Asia, leveraging phishing and domain spoofing to trick users into downloading the malware. Once installed, AtlasCross gives attackers remote access to compromised systems, allowing them to steal data, deploy additional payloads, or maintain a foothold for future attacks.

The use of code signing certificates adds another layer of evasion, making the malware appear legitimate to security tools. This isn't just a smash-and-grab — it's a sophisticated, multi-stage operation aimed at establishing deep, persistent access in high-value targets.