AtlasCross [1] [2] [3] [4] [5], an advanced persistent threat (APT) group [1], has been using the reputation of respected humanitarian organizations [5], such as the Red Cross, to carry out targeted phishing attacks [5]. This group is highly skilled and difficult to trace [1], with unique attack methods that set them apart from other APT groups.


AtlasCross employs sophisticated phishing tactics [1], specifically impersonating the American Red Cross [1]. They send phishing emails posing as the organization, inviting recipients to participate in a “September 2023 Blood Drive.” These emails contain macro-enabled Word documents that prompt users to click “Enable Content,” which triggers malicious macros [1]. These macros infect Windows devices with two previously unknown trojans called DangerAds and AtlasAgent.

DangerAds serves as a loader [1] [3] [4], assessing the host environment [1], while AtlasAgent is the final payload [1]. AtlasAgent [1] [2] [3] [4] [5], a custom C++ trojan [1], carries out various functions [1], including extracting host and process details [1], blocking the launch of multiple programs [1], running additional shellcode [1], and downloading files from the attacker’s command-and-control servers [1]. The malware sends system information to the attacker’s servers and receives commands for execution [1], making it challenging for security tools to detect and stop the attacks [1].

It is suspected that AtlasCross has breached public network hosts by exploiting known vulnerabilities and converting them into command-and-control servers [2] [3] [4]. Despite their significant activity, the true identity of AtlasCross and their backers remains unknown [2] [3] [4]. Currently, AtlasCross focuses on targeted attacks within a network domain [2], but their attack processes are highly sophisticated [2].


The actions of AtlasCross have serious implications for both the targeted organizations and the individuals affected by their phishing attacks. It is crucial for organizations to be vigilant and implement robust security measures to detect and prevent such attacks. Additionally, ongoing efforts to identify and apprehend the members of AtlasCross and their backers are necessary to mitigate future threats. The sophistication of their attack methods highlights the need for continuous improvement in cybersecurity defenses to stay ahead of evolving threats.