• Home
  • cyber
  • Signal, Surfshark and UltraViewer: Silver Fox Abuses Stolen EV Certificates in AtlasCross RAT Malware Campaign
cyber Cyber Attack

Signal, Surfshark and UltraViewer: Silver Fox Abuses Stolen EV Certificates in AtlasCross RAT Malware Campaign

Nov 1, 2025 3 min read
Signal, Surfshark and UltraViewer: Silver Fox Abuses Stolen EV Certificates in AtlasCross RAT Malware Campaign

Silver Fox APT Targets Chinese-Speaking Users with Stealthy AtlasCross RAT Campaign

A Chinese-nexus advanced persistent threat (APT) group, tracked as Silver Fox (also known as Void Arachne and SwimSnake), is conducting a sophisticated campaign targeting Chinese-speaking users and professionals. Security researcher Maurice Fielenbach of Hexastrike uncovered the operation, which leverages typosquatted domains impersonating trusted brands like Surfshark, Signal, and Zoom to distribute malware.

The attackers use stolen Extended Validation (EV) code-signing certificates issued to a Vietnamese entity, DUC FABULOUS CO.,LTD (valid until May 2027) to bypass security checks and establish deep persistence in enterprise networks. Victims are lured into downloading a ZIP archive containing a triple-nested Setup Factory installer, which deploys a trojanized Autodesk component (Schools.exe) alongside legitimate decoy applications like UltraViewer to avoid suspicion.

The malware employs advanced evasion techniques, including Process Environment Block (PEB) walking and ROR13 hashing, to dynamically resolve APIs and evade static analysis. It retrieves a second-stage shellcode payload from its command-and-control (C2) server over raw TCP, then loads the AtlasCross RAT entirely in memory using a reflective loader, leaving no disk footprint.

At the core of the attack is AtlasCross RAT, which integrates a custom PowerShell execution engine (PowerChell). This framework disables critical security mechanisms, including:

  • Antimalware Scan Interface (AMSI)
  • Event Tracing for Windows (ETW)
  • Constrained Language Mode (CLM)
  • ScriptBlock logging

The RAT communicates with its C2 infrastructure using ChaCha20 encryption and hardware-generated random keys. To maintain persistence, it terminates TCP connections used by Chinese security tools like 360 Total Security and Huorong, preventing signature updates without killing processes. Additional tactics include DLL injection into WeChat (Wxfun.dll) for data harvesting and RDP session hijacking via tscon.exe.

The campaign, active between November 2025 and March 2026, demonstrates Silver Fox’s evolution from driver-based process termination to network-level disruption, signaling a rapidly maturing threat actor. Key indicators of compromise (IOCs) include the stolen EV certificate (2C1D12F8BBE0827400A8440AF74FFFA8DCC8097C), C2 domain (bifa668.com), and typosquatted domains (www-surfshark[.]com, signal-signal[.]com). Security teams are advised to monitor for non-standard processes loading System.Management.Automation.dll and scheduled tasks under \Microsoft\Windows\AppID</strong>.

Source: https://cybersecuritynews.com/silver-fox-abuses-stolen-ev-certificates/

Surfshark cybersecurity rating report: https://www.rankiteo.com/company/surfshark

Signal Messenger cybersecurity rating report: https://www.rankiteo.com/company/signal-messenger

Ultraview AI cybersecurity rating report: https://www.rankiteo.com/company/ultraviewai

"id": "SURSIGULT1774535812",
"linkid": "surfshark, signal-messenger, ultraviewai",
"type": "Cyber Attack",
"date": "11/2025",
"severity": "60",
"impact": "2",
"explanation": "Attack limited on finance or reputation"
{'affected_entities': [{'location': 'China',
                        'type': 'Chinese-speaking users and professionals'}],
 'attack_vector': ['Typosquatted domains',
                   'Malicious ZIP archives',
                   'Trojanized installers'],
 'data_breach': {'data_encryption': 'ChaCha20 encryption for C2 communications',
                 'data_exfiltration': 'Possible via AtlasCross RAT',
                 'personally_identifiable_information': 'Likely (via WeChat '
                                                        'DLL injection)',
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': ['Personally Identifiable '
                                              'Information (PII)',
                                              'Potential WeChat data']},
 'description': 'A Chinese-nexus advanced persistent threat (APT) group, '
                'tracked as Silver Fox (also known as Void Arachne and '
                'SwimSnake), is conducting a sophisticated campaign targeting '
                'Chinese-speaking users and professionals. The operation '
                'leverages typosquatted domains impersonating trusted brands '
                'like Surfshark, Signal, and Zoom to distribute malware. The '
                'attackers use stolen Extended Validation (EV) code-signing '
                'certificates to bypass security checks and establish deep '
                'persistence in enterprise networks. The malware deploys a '
                'trojanized Autodesk component alongside legitimate decoy '
                'applications to avoid suspicion and employs advanced evasion '
                'techniques to deliver the AtlasCross RAT entirely in memory.',
 'impact': {'data_compromised': 'Potential data harvesting via WeChat DLL '
                                'injection and RDP session hijacking',
            'identity_theft_risk': 'High (due to potential PII harvesting)',
            'operational_impact': 'Disruption of security tools (360 Total '
                                  'Security, Huorong), potential RDP session '
                                  'hijacking',
            'systems_affected': ['Enterprise networks', 'Windows systems']},
 'initial_access_broker': {'backdoors_established': 'Trojanized Autodesk '
                                                    'component (Schools.exe), '
                                                    'reflective loader for '
                                                    'AtlasCross RAT',
                           'entry_point': 'Typosquatted domains impersonating '
                                          'Surfshark, Signal, and Zoom',
                           'high_value_targets': 'Chinese-speaking users and '
                                                 'professionals, enterprise '
                                                 'networks'},
 'investigation_status': 'Ongoing',
 'lessons_learned': 'The campaign demonstrates Silver Fox’s evolution from '
                    'driver-based process termination to network-level '
                    'disruption, highlighting the need for enhanced monitoring '
                    'of in-memory malware and non-standard API resolution '
                    'techniques.',
 'post_incident_analysis': {'corrective_actions': ['Revocation of stolen EV '
                                                   'certificates',
                                                   'Enhanced monitoring for '
                                                   'in-memory malware and '
                                                   'non-standard API '
                                                   'resolution',
                                                   'User education on '
                                                   'typosquatted domains and '
                                                   'malicious installers'],
                            'root_causes': ['Use of stolen EV code-signing '
                                            'certificates to bypass security '
                                            'checks',
                                            'Advanced evasion techniques (PEB '
                                            'walking, ROR13 hashing, '
                                            'reflective loading)',
                                            'Typosquatted domains '
                                            'impersonating trusted brands']},
 'recommendations': ['Monitor for non-standard processes loading '
                     'System.Management.Automation.dll',
                     'Check for scheduled tasks under '
                     '\\Microsoft\\Windows\\AppID\\',
                     'Block or investigate typosquatted domains (e.g., '
                     'www-surfshark[.]com, signal-signal[.]com)',
                     'Revoke or monitor the stolen EV certificate '
                     '(2C1D12F8BBE0827400A8440AF74FFFA8DCC8097C)',
                     'Disable or restrict PowerShell execution policies where '
                     'unnecessary'],
 'references': [{'source': 'Hexastrike (Maurice Fielenbach)'}],
 'response': {'enhanced_monitoring': 'Recommended: Monitor for non-standard '
                                     'processes loading '
                                     'System.Management.Automation.dll and '
                                     'scheduled tasks under '
                                     '\\Microsoft\\Windows\\AppID\\'},
 'threat_actor': 'Silver Fox (Void Arachne, SwimSnake)',
 'title': 'Silver Fox APT Targets Chinese-Speaking Users with Stealthy '
          'AtlasCross RAT Campaign',
 'type': 'APT Campaign'}
Published by
Jeremy C
Jeremy C
You might also like
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.