Key Takeaway
AtlasCross is a newly identified RAT targeting Chinese-speaking users through typosquatted domains impersonating VPN clients, encrypted messengers, video conferencing tools, cryptocurrency trackers, and e-commerce platforms. The malware runs on Windows and macOS, establishes persistence via scheduled tasks and LaunchAgents, and exfiltrates credentials, session cookies, SSH keys, and cryptocurrency wallet data over encrypted C2 channels. SOC teams should monitor for domain-age anomalies, staging behavior in AppData directories, and clipboard access on hosts with crypto software installed.
Malware Family and Delivery Mechanism
AtlasCross is a previously undocumented remote access trojan (RAT) currently distributed through an active campaign targeting Chinese-speaking users. The delivery mechanism relies on typosquatting — registering domains that closely mimic legitimate, trusted software brands to trick users into downloading trojanized installers.
Eleven confirmed delivery domains have been identified, impersonating products across five software categories: VPN clients, encrypted messaging applications, video conferencing tools, cryptocurrency tracking platforms, and e-commerce applications. The breadth of impersonated software categories suggests the operators are casting a wide net across high-value user segments — privacy-conscious individuals, traders, and remote workers.
Users arrive at these domains through search engine poisoning, malvertising, or direct social engineering. Once on the typosquatted page, they download what appears to be a legitimate installer. The installer drops the AtlasCross RAT payload alongside a functional copy of the spoofed application to reduce victim suspicion.
Capabilities: Persistence, Exfiltration, and C2
Persistence
AtlasCross establishes persistence using scheduled tasks and Windows Registry run keys. On macOS targets, it installs a LaunchAgent plist under the user library to survive reboots. The malware checks for existing instances before installing to avoid duplicate infections that could trigger behavioral detection.
Command and Control
AtlasCross communicates with its C2 infrastructure over HTTPS, blending traffic with legitimate encrypted web requests. The RAT uses a beaconing interval with jitter to evade network-based anomaly detection. C2 domains identified in the campaign follow a pattern of registering under generic TLDs with registration dates clustering within weeks of the corresponding typosquatted delivery domains, indicating a coordinated infrastructure buildout.
The malware supports remote shell execution, file upload and download, screenshot capture, keylogging, and clipboard monitoring. Clipboard monitoring is particularly significant given the cryptocurrency tracker lures — it targets crypto wallet addresses copied by victims, a technique consistent with address-substitution theft.
Data Exfiltration
AtlasCross stages collected data locally before transmission, compressing and encrypting archives prior to exfiltration. Targeted data includes browser credentials, session cookies, locally stored cryptocurrency wallet files, and SSH private keys. The staging behavior reduces the volume and frequency of outbound connections, making exfiltration harder to detect with simple data-loss rules.
Affected Platforms
AtlasCross has confirmed variants for both Windows (x86 and x64) and macOS (Intel and Apple Silicon). Windows variants are distributed as NSIS or Inno Setup installers. macOS variants use PKG or DMG formats. No Linux variant has been confirmed at time of writing, though the C2 protocol is platform-agnostic and Linux builds cannot be ruled out.
Primary targets are Chinese-speaking users, based on the language of the spoofed software interfaces, the geographic clustering of delivery infrastructure, and lure selection (platforms popular in mainland China, Hong Kong, and Taiwan). Users relying on VPN software are a priority target, consistent with the operational security profile of individuals attempting to circumvent network restrictions.
Detection Signatures
SOC teams should prioritize the following detection opportunities:
Network Indicators
- Block and alert on the eleven confirmed typosquatted delivery domains. Query passive DNS for domains registered within 30 days that edit-distance-match known VPN, messenger, and crypto-tracker brand names.
- Monitor for HTTPS beaconing to newly registered domains (domain age under 60 days) at regular intervals with low byte variance — consistent with AtlasCross's jittered C2 polling.
Host-Based Indicators
- Windows: Scheduled task creation paired with a newly written executable in
%AppData%or%ProgramData%subdirectories. Registry persistence underHKCU\Software\Microsoft\Windows\CurrentVersion\Runpointing to unsigned binaries. - macOS: LaunchAgent plist creation under
~/Library/LaunchAgents/by a PKG or DMG post-install script. Monitor for unsigned or ad-hoc signed binaries spawning shell sessions. - Clipboard access combined with process injection or keylogging behavior on endpoints where cryptocurrency applications are installed.
YARA Rule Guidance Write YARA rules targeting the string patterns used in AtlasCross's HTTP request headers and the compression library signatures present in its staging module. Specific rule conditions should target the combination of HTTPS library imports, scheduled task API calls, and clipboard enumeration functions within the same binary.
SIEM Queries Alert on process trees where a PKG or NSIS installer spawns a secondary executable that immediately queries the Windows Task Scheduler COM interface or writes to LaunchAgents on macOS.
Removal Guidance
Windows
- Terminate the AtlasCross process using Task Manager or
taskkill /IM <process_name> /F. - Delete the scheduled task via
schtasks /delete /tn <task_name> /f. - Remove the registry run key under
HKCU\Software\Microsoft\Windows\CurrentVersion\Run. - Delete the malware binary and any staged data archives from
%AppData%and%ProgramData%. - Rotate all credentials stored in affected browsers and any SSH keys present on the system.
- Revoke and regenerate any cryptocurrency wallet keys that were accessible on the infected host.
macOS
- Unload the LaunchAgent with
launchctl unload ~/Library/LaunchAgents/<plist_name>.plist. - Delete the plist file and the associated malware binary.
- Audit
~/Library/Application Support/for staged data directories. - Rotate browser credentials, SSH keys, and any cryptocurrency wallet seeds stored locally.
In both cases, forensically image the affected system before remediation if incident response procedures require evidence preservation. Assume credential compromise is complete — do not limit rotation to secrets visible in browser storage.
Original Source
The Hacker News
Related Articles
Horabot Dropper Delivers Casbaneiro Banking Trojan to Latin American and European Targets in Brazilian eCrime Campaign
The Horabot dropper, attributed to Brazilian cybercrime group Augmented Marauder (also tracked as Water Saci by Trend Micro), delivers the Casbaneiro banking trojan to Spanish-speaking users across Latin America and Europe via targeted phishing campaigns. Casbaneiro performs credential harvesting through overlay attacks, clipboard hijacking, and keylogging, and abuses compromised Outlook accounts to self-propagate. SOC teams should implement scheduled task creation detections, block newly registered TLD outbound connections, and immediately rotate credentials on any confirmed infected host.
REF1695: Fake Installers Deliver RATs and Cryptominers in CPA Fraud Operation Active Since November 2023
REF1695 is a financially motivated campaign tracked by Elastic Security Labs that has deployed RATs and cryptocurrency miners via fake software installers since November 2023. The operation monetizes infections through both passive cryptomining and CPA fraud, redirecting victims to content locker pages disguised as software registration flows. Windows endpoints are the confirmed target, and Elastic has released EQL detection rules to support identification and response.
Automated Service Enables Persistent Information-Stealing Social Engineering Attacks
A new cybercrime service automates persistent social engineering attacks aimed at stealing sensitive information. Targeting primarily Windows and mobile platforms, the service uses phishing techniques combined with encrypted exfiltration and adaptive persistence. Detection relies on monitoring phishing indicators and network anomalies, while removal requires credential resets and endpoint remediation.
NoVoice Android Malware Exploits Known Vulnerabilities to Gain Root Access, Found in 50+ Google Play Apps
NoVoice is a newly discovered Android malware exploiting known privilege escalation vulnerabilities to gain root access. Distributed through over 50 malicious apps on Google Play with 2.3 million downloads, it collects user data and communicates with encrypted C2 servers. Detection requires monitoring root-level activity and network anomalies, while removal demands a factory reset and patching affected devices.