Hexastrike Cybersecurity discovered and analyzed a multistage AtlasCross RAT campaign that used domains impersonating trusted software brands. The threat affected VPN clients, encrypted messengers, videoconferencing tools, cryptocurrency trackers, and e-commerce applications. The domains they used mimicked brands including Surfshark VPN, Signal, Telegram, Zoom, Microsoft Teams, and others. And after careful examination, the attack was attributed to the Silver Fox APT group.

The Hexastrike report identified 13 network IoCs comprising 12 domains and one IP address. Note that none of the domain IoCs belonged to legitimate organizations based on the results of our domain legitimacy checks via the WhoisXML API MCP Server.

Our DNS deep dive into these IoCs led to these discoveries:

• 829 unique client IP addresses that communicated with two of the domain IoCs
• One domain IoC that was bulk-registered with six look-alike domains
• Five domain IoCs that were likely registered with malicious intent
• 33 IP addresses potentially owned by victims that communicated with one of the IP IoCs
• 2,584 email-connected domains
• 10 additional IP addresses, seven of which were confirmed malicious
• 33 IP-connected domains
• 35 string-connected domains, three of which were confirmed malicious

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Dissecting the AtlasCross RAT Domain IoCs

We began our analysis by taking a closer look at the 12 domain IoCs.

First off, sample network traffic data from the IASC revealed that 829 unique client IP addresses under three ASNs communicated with two of the domain IoCs via 11,388 DNS queries made between 9 March and 28 April 2026.

We then queried the domain IoCs on Typosquatting API and discovered that the domain bifa668[.]com appeared in one typosquatting group made up of seven members all registered on 23 June 2021.

This domain IoC was registered alongside these six look-alikes:

• bifa6868[.]com
• bifa0588[.]com
• bifa668[.]com
• bifa1688[.]com
• bifa688[.]com
• bifa0888[.]com

Next up, First Watch Malicious Domains Data Feed showed that five domain IoCs were likely registered with malicious intent as they showed up on the database 26—594 days before being identified as IoCs on 25 March 2026. Take a look at more details for three examples below.

After that, we queried the domain IoCs on WHOIS API and learned that:

• They were created between 27 October 2025 and 1 March 2026.

  

• They were administered by three registrars.

  

• While one did not have a registrant country on record, the remaining 11 were registered in three countries.

  

Finally, we queried the domain IoCs on DNS Chronicle API and discovered that 11 had recorded 316 historical domain-to-IP resolutions over time. Here are more details about five examples.

Investigating the AtlasCross RAT IP IoCs

After learning more about the domain IoCs, we further investigated the sole IP IoC.

First, sample network traffic data from the IASC revealed that 33 unique potentially victim-owned IP addresses under 10 ASNs communicated with the IP IoC between 17 November 2025 and 21 February 2026.

We then queried the IP IoC on IP Geolocation API and found out that it was geolocated in South Korea and administered by MOACK.

DNS Chronicle API, meanwhile, revealed that it only recorded one historical IP-to-domain resolution over time.

Amassing New AtlasCross RAT Artifacts

We started our search for new artifacts by querying the domain IoCs on WHOIS History API. We discovered that six of them had 11 email addresses in their historical WHOIS records.

Further scrutiny revealed that five were public email addresses. Of these, one could belong to a domainer, hence, it was excluded from the next step.

We then queried the four public email addresses on Reverse WHOIS API, which led to the discovery of 2,584 unique email-connected domains after the domain IoCs were filtered out.

This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.