Silver Fox Abuses Stolen EV Certificates in AtlasCross RAT Malware Campaign

Silver Fox, which is also known as Void Arachne and SwimSnake, is running a complicated AtlasCross RAT campaign that is specifically aimed at Chinese-speaking users and professionals. Threat actors use typosquatted domains that look like trusted software brands like Surfshark, Signal, and Zoom. The attackers used a stolen EV certificate from a Vietnamese company, "DUC FABULOUS CO.,LTD," to sign the payloads and make them look like real software.

The certificate is still good until May 2027.

Defense teams should look for the following signs of infrastructure and payload that were seen between November 2025 and March 2026: The stolen EV certificate 2C1D12F8BBE0827400A8440AF74FFFA8DCC8097C DUC FabULOUS Co.,L TD (valid until May 20 27) C2 Domain & IP bifa668.com / 61.111.250[. ]139 Primary raw TCP C2 communication (Port 9899) Malicious Network Beacon 53 46 75 63 6b 00 00 00 Hex value for "SFuck" sent during C2 handshake Typosquats Domain www-surfshark[. ]com Surfsharks VPN lure delivery domain Typosquitatted Domain signal-signal[.]

com Signal encrypted messenger lure delivery Domain Staging Directory C:\Program Files (x86)\GitMndsetup\ Dropped payload and decoy application folder. This outer wrapper drops a trojanized Autodesk component called Schools.exe along with real decoy apps like UltraViewer to make users less suspicious.

When run, the trojanize loader uses Process Environment Block (PEB) walking and ROR13 hashing to dynamically resolve its application programming interfaces (APIs), which makes it hard to analyze statically.