← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Trust the Tunnel, Get the Trojan: Silver Fox Delivers AtlasCross RAT via Weaponized VPN Installers
WHITE Silver Fox PetrP.73 2026-03-29 Modified: 2026-03-29
81
IOCs
HIGH VOLUME
The Silver Fox threat group, also known as Void Arachne or SwimSnake, has initiated a sophisticated multi-stage remote access trojan (RAT) campaign targeting Chinese-speaking users. This campaign primarily utilizes a network of typosquatted domains that mimic trusted applications that are widely used in China, such as VPN clients, encrypted messaging tools, and e-commerce applications. The distribution channels rely on eleven identified domains that impersonate reputable software brands, and all delivery installers are signed with a stolen Extended Validation (EV) code-signing certificate from a Vietnamese entity.
setup factorysilver foxinno setupc2 domaingh0st ratrdp sessionsha256groupsatlascross ratremarkpowershellvalleyratwinostelegraminstallerdwordphaseshellcodegh0stservicerootcodefoxsf8atlasagentadministratorsultraviewerpowerchellatlascross
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (20 / 81 total)
All IPv4 domain FileHash-MD5 FileHash-SHA1 FileHash-SHA256 CIDR URL hostname
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 0be4c354029913a663becc34060b58d9 MD5 of 115a75d0ce595fc92f1acaa8b564c3f391325c34ddf34177c357a00306d6d216 2026-03-29
FileHash-MD5 1675c5090a3efc6c7906b9bc4dcb22cd MD5 of 0896f5171a25ab6263598bb501d11413ffbbef05b168ff71b8d54ee9b81103b6 2026-03-29
FileHash-MD5 1c614c07fab2e6002ec90608bbffead5 MD5 of 49ef5e6e6257d082073e000f9a0129f289ed715a288e19cc32344dc054c54ca6 2026-03-29
FileHash-MD5 33a76607e4003778518bcdaa806938de MD5 of 3372ae716f20eedd3b7d77d08d7010e8424ca5cec781bde4fe3ec76d466cfe8f 2026-03-29
FileHash-MD5 43c7f713f380f19dac6f447fb69bbd32 MD5 of 49220c1046014c88720cceaf148ec83e3cd644e61fe339d1217f1a22ccf51614 2026-03-29
FileHash-MD5 4ff0aa6e1b1e133f6821ba5e32942492 MD5 of e3f04545fb59d2943a4a30cd1b6fa39cb36e1e803301ab2ca5fad2bca84f04dd 2026-03-29
FileHash-MD5 5f14e5ede8b5683cf8f6c3218b85c826 MD5 of 42da0ad45bfe9b7f82247d780a32e128e0b00846fe76eea96250e3088f54909b 2026-03-29
FileHash-MD5 68bb9a075e090be1d68918983b7f9f89 MD5 of 5841ad433ab199bb784a4d33fd629101d22de6e44dce0606c08b92f8b4709380 2026-03-29
FileHash-MD5 737cfc6e40cd0d26c15845b4f1a06e83 MD5 of d67545f666e89419c0ccd0346929b1906b46eb8b3cff2b94671c6d5755e81f3e 2026-03-29
FileHash-MD5 7f0bd2e970d234abc4205215b6f78bfb MD5 of 97f2b246627cc7afe3ed524b63a846e30ee37c81143493ab70c30ee0568dde86 2026-03-29
FileHash-MD5 b743606cd24bde762efc94ac4cce72d9 MD5 of fa5d3a9eebf9310148e7b980fefa7bc3f3a8e8ee7a8d0bd21a057c54c5a47560 2026-03-29
FileHash-MD5 d92336172a96c7f034aa2b864ed2e43a MD5 of a481befbec1d49041202331cdbf01a3e9cda8f714b8cbdfb52c676c7a5d7bdf7 2026-03-29
FileHash-MD5 012b7a20cd7acb5559312337896bfa87 MD5 of fcc959730c9103d23975bbb41faf84a7f1dd75971f5baff9335bd9a346b0edee 2026-03-29
FileHash-MD5 11e31f116e41953e1ef5dc0b7b468640 MD5 of 817295bf52e243fb8632529133ccd04820d58352efca5928f34c7248c7f1932d 2026-03-29
FileHash-MD5 286d668127cbecb2e49f63c2424a2976 MD5 of e6d6cd85f12ee43cbd16d2da0dc49b023035b1c3fdf7e71b156bb760fdef8d5e 2026-03-29
FileHash-MD5 5d84092f0a1bcbc486907115100052d5 MD5 of 99c0e015c7b8d3df609b370ec3329be55c94797c92c24ec512f6546acdf1e246 2026-03-29
FileHash-MD5 7c45098613f53b3c54ff047ce364e391 MD5 of 02401a2f2de8de15f00d637e555512fe3138c23e24ea1878f2cf2f647cf40b30 2026-03-29
FileHash-MD5 b04b3bc25acc9a22a1979db013284bbb MD5 of 797e1b6b5c37fec6c7a4629ca2f60b922f2212cf11946ecc23b0ca2faf8e3b99 2026-03-29
FileHash-MD5 bea7f7c2b75d03bf9122cf7ed14fedba MD5 of 1ad1f7d11bb1e6183ce20403ede42e65dba17a6ab660883ea1446ad331d69302 2026-03-29
FileHash-MD5 f833a040c9c4740e97df547f1951cf9a MD5 of 8009908c6c76a72e20e4020a9f9eb9e4d4203507f67a624ecf7f4ed672cf4b68 2026-03-29
References (1)
↗ https://hexastrike.com/resources/blog/threat-intelligence/trust-the-tunnel-get-the-trojan-silver-fox-delivers-atlascross-rat-via-weaponized-vpn-installers/