Hexastrike Cybersecurity analyzed a multistage AtlasCross RAT campaign that used look-alike domains impersonating trusted software brands such as Surfshark VPN, Signal, Telegram, Zoom, and Microsoft Teams. The activity was attributed to the Silver Fox APT group and involved 13 network IoCs, including 12 domains and one IP address, with extensive evidence of connected infrastructure and potential victims. #AtlasCrossRAT #SilverFoxAPT #SurfsharkVPN #MicrosoftTeams #Telegram #Zoom
Keypoints
- Hexastrike Cybersecurity identified a multistage AtlasCross RAT campaign using domains that impersonated trusted software brands.
- The campaign targeted VPN clients, encrypted messengers, videoconferencing tools, cryptocurrency trackers, and e-commerce applications.
- The activity was attributed to the Silver Fox APT group after detailed analysis.
- The report documented 13 network IoCs, including 12 domains and one IP address, with none of the domains belonging to legitimate organizations.
- DNS and network analysis showed 829 unique client IP addresses communicating with two domain IoCs and 33 potentially victim-owned IPs contacting the IP IoC.
- Additional research uncovered 2,584 email-connected domains, 33 IP-connected domains, and 35 string-connected domains tied to the infrastructure.
- Several domain IoCs were registered with malicious intent, and some additional IPs and domains were confirmed malicious.
MITRE Techniques
- [T1583.001 ] Acquire Infrastructure: Domains – The actors used impersonating and look-alike domains to host campaign infrastructure, including brand-themed registrations like ‘www-teams[.]com’ and ‘app-zoom[.]com’.
- [T1583.004 ] Acquire Infrastructure: Server – The campaign relied on a dedicated IP infrastructure element for communication with victims, as shown by the single IP IoC and its historical resolutions (‘the sole IP IoC’).
- [T1584.007 ] Compromise Infrastructure: Server – The analysis found maliciously registered domains and a malicious IP used as part of the operational infrastructure, indicating compromise or abuse of infrastructure for the campaign (‘likely registered with malicious intent’).
- [T1593.001 ] Search Victim-Owned Websites: Social Media / Messaging Accounts – The impersonation of messaging and collaboration brands such as Signal, Telegram, and Microsoft Teams suggests victim targeting through trusted communication-related services (‘domains mimicking brands including … Signal, Telegram, … Microsoft Teams’).
- [T1036.005 ] Masquerading: Match Legitimate Name or Location – The domains were crafted to resemble legitimate software brands, using typosquatting and brand impersonation such as ‘bifa668[.]com’ and ‘quickq-quickq[.]com’.
- [T1071.001 ] Application Layer Protocol: Web Protocols – The infrastructure used DNS and domain-to-IP communication to support campaign traffic, evidenced by repeated DNS queries and historical domain resolutions (‘11,388 DNS queries’).
Indicators of Compromise
- [Domains ] impersonating software brands and observed in historical resolutions – bifa668[.]com, app-zoom[.]com, and 10 more domains
- [Domains ] typosquatting cluster associated with a look-alike registration group – bifa6868[.]com, bifa0588[.]com, and 4 more look-alike domains
- [Domains ] flagged as likely maliciously registered before being identified as IoCs – quickq-quickq[.]com, www-teams[.]com, and 3 more domains
- [IP address ] sole IP IoC connected to victim communications and historical DNS data – one IP in South Korea, plus 1 more IP-related artifact
- [Email addresses ] historical WHOIS records used to uncover connected infrastructure – 4 public email addresses, and 7 more email addresses
- [IP addresses ] potentially victim-owned systems that contacted the IP IoC – 33 unique IP addresses, including those communicating between 17 November 2025 and 21 February 2026
- [Domains ] email-connected domains discovered through reverse WHOIS pivoting – 2,584 unique domains
Read more: https://circleid.com/posts/an-analysis-of-the-atlascross-rat-network-iocs