Researchers at AhnLab Security Intelligence Center (ASEC) have detailed a stealthy remote access trojan called AtlasRAT that installs itself through a four-stage loader chain running almost entirely in memory, leaving little for antivirus tools to find on disk. The team says it has tracked 43 AtlasRAT command-and-control servers since June 9, 2026, pointing to an active and growing operation.
The attack begins with a Delphi program disguised as an "AGE Flash Player" installer. That file decrypts and loads a second-stage payload, which rebuilds downloader shellcode from eight encrypted fragments, pulls the next stage from a hard-coded server, and finally runs a 32-bit trojan. Because each stage is unpacked and executed in memory, the campaign minimizes the files a defender or scanner would normally catch.
What AtlasRAT can do
Once running, AtlasRAT talks to its operators over TLS with an extra layer of ChaCha20 encryption, loads modular plugins to extend its features, logs keystrokes offline, and inventories 33 security products on the machine so the attackers know what defenses are present. It also injects a malicious DLL into WeChat, the popular Chinese messaging app, suggesting Chinese-speaking users are a focus. To blend in, the trojan carries a self-signed certificate that impersonates Microsoft, using the subject "CN=update[.]microsoft[.]com, O=Microsoft Corporation".
ASEC notes that AtlasRAT shares an internal build marker with samples previously attributed to the Silver Fox cluster, a China-nexus operation known for trojanized installers, though the two use different handshake strings (BFuck versus the earlier SFuck). The researchers stop short of naming the developers or operators and say AtlasRAT may be sold or shared privately, so treat the Silver Fox link as a lead rather than firm attribution.
How to detect it
On the network, watch for connections carrying the 8-byte handshake marker BFuck when a TLS session opens, and traffic to 150[.]158[.]50[.]175:443. On endpoints, hunt for remote DLL injection into WeChat[.]exe (via LoadLibraryW and CreateRemoteThread), scans that enumerate 33 antivirus executables, and the creation of files under C:\Users\Public\Documents such as offline[.]Ini, MODIf[.]Html, AtlasPro[.]Ini, and Wxfun[.]DLL. A key sample carries the SHA-256 hash 3f152103ea35c0f7feb205651a91e3c946b8057d1ea6f046ffc44fa611fd0267.
This kind of in-memory loader echoes other campaigns that hide behind fake software downloads, such as the fake installer operation that drops AsyncRAT. Defenders should prioritize behavioral and memory-based detection over file scanning, since AtlasRAT is built specifically to defeat the latter.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.