AtlasCross RAT: The campaign that imitates legitimate apps and signs malware with stolen certificates to attack from memory

An active campaign is using websites that imitate almost nailed to legitimate software brands to catch Chinese-speaking users and deliver a new remote access Trojan called AtlasCross RAT. The research, disseminated by a German-based cybersecurity firm, shows how attackers have prepared lures that simulate VPN customers, encrypted messengers, video conference tools, cryptomoneda trackers and e-commerce platforms to induce the download of committed installers.

The infection vector is simple in its apparent innocence but sophisticated in its execution: the victim reaches a falsified web, downloads a ZIP file containing a threaded installer along with the legitimate decoy application, and runs the installer believing it is reliable. This malicious installer, which imitates an Autodesk binary, loads a shellcode charger that decrypt an embedded configuration inherited from the Gh0st protocol to extract the information from the command and control server (C2). Then a second stage is recovered from a remote server - reports indicate a download from bifa668 [.] com by the TCP port 9899 - and the new RAT ends up running only in memory, reducing its disk footprint.

A striking fact that points to a planned operation is that most of the fraudulent domains used as decoy were registered on the same day at the end of October 2025. Examples identified include Zoom, Signal, Telegram, Surfshark, Microsoft Teams, Trezor and other applications that inspire confidence in technical and non-technical users alike.

The installed packages analyzed shared more than the same way of deception: they were all signed with a certificate of signature of Extended Validation Code issued to a Vietnamese entity. The repeated use of this certificate in unrelated campaigns suggests that in the criminal ecosystem there are legitimate certificates that are stolen or resold to give the appearance of legality to malicious loads and to avoid security controls that trust the digital signature.

In technical terms, AtlasCross incorporates a number of notable improvements regarding previous tools linked to the same family of actors. Integrates the so-called PowerChell, a native C / C + + engine designed to run PowerShell by hosting the .NET CLR within the malware process itself, allowing you to run commands with powerful capabilities. Before launching any instruction, the implanted applies multiple techniques to neutralize detections: disable the anti-malware interface (AMSI), blocks the tracking event log (ETW), and avoids language restrictions that usually limit malicious scripts. For those who want to deepen these mechanisms, Microsoft's documentation on AMSI and telemetry is a useful reference: https: / / learn.microsoft.com / en-us / windows / win32 / amsi / antimalware-scan-interface.

Communication with C2 servers is also designed to reduce the possibility of inspection: the traffic between victim and control is calculated using ChaCha20 using random keys per package generated from a random hardware number generator. For those who want to know more about ChaCha20, the official specification of the IETF is a solid technical source: https: / / datatacker.ietf.org / doc / html / rfc8439.

Functionally, AtlasCross is not a simple backdoor: it offers directed DLL injection in local applications like WeChat, ability to kidnap RDP sessions, and routines that actively end TCP connections originating from popular security products in China (e.g. 360 Safe, Huorong, Kingsoft and QQ PC Manager) rather than using vulnerable driver tactics. It also facilitates basic file and shell operations and can achieve persistence by creating programmed tasks. This combination of techniques indicates a marked evolution from the Gh0st RAT-based variants that the actor has used before.

The allocation of the operation lies with an actor known in the industry as Silver Fox, which appears under multiple aliases in different reports (including SwimSnake and other names). Several security companies that have observed the activity describe this group as very active and with an adaptable strategy: it maintains comprehensive and opportunistic campaigns while running more targeted and strategic operations against finance and management personnel, using vectors such as instant messaging (WeChat, QQ), phishing emails and fake tool sites. The analysis of specialized companies in the region agrees that the group's central tactic is to create domains that faithfully imitate officers and add regional details to reduce the victim's suspicions; techniques such as typo-squatting, the hijacking of domain names and the manipulation of DNS are part of the repertoire. For context on this type of threat and the work of analysts, it is appropriate to consult technical texts and analysis of relevant actors in the industry, for example the safety reports of KnownSec 404: https: / / 404.knowsec.com / and Sekoia's on emerging tactics and threats: https: / / www.sekoia.io / en / insights /.

Historically, the group has reused and updated tools of the Gh0st family, and its arsenal has passed through deliveries through malicious PDFs, abuse of legitimate, poorly configured remote management solutions, even versions of Python Trojans that pass through popular applications. This operational flexibility allows you both to run massive campaigns for benefits and to maintain long access for more calculated operations. Other actors and suppliers have documented related campaigns; for an additional perspective on related tactics and campaigns, incident response blogs and antiviral manufacturers such as ESET and eSentire offer analysis and examples: https: / / www.welivesecurity.com / and https: / / www.esentire.com / blog.

What can users and organizations do to minimize risk? First, distrust of downloads outside official channels: getting software from verified websites and repositories is the most basic defense. Review the details of the digital certificate before running installers can help, although when the certificates have been compromised this verification is no longer infallible. Maintaining the security and system software updated, limiting the execution of executables from temporary locations, and educating teams about the risks of typo-squatting and of tools downloaded from shared links in messaging are practical measures. In business environments, the detection of abnormal behavior in memory and the monitoring of outgoing connections to unusual domains and ports (e.g., outgoing traffic to non-standard ports such as 9899) may point to ongoing infections.

The emergence of AtlasCross RAT and the re-use of valid certificates highlight a recurring lesson: attackers no longer depend only on isolated technical vulnerabilities, but combine social engineering, digital reputation abuse and increasingly refined anti-detection techniques. The defence community must therefore combine technical controls with robust validation and awareness processes. To follow the publications and analysis of incidents related to actors such as Silver Fox and the evolution of Gh0st variants, security research centres and blogs remain valuable and up-to-date sources.