Chinese Hackers Deploy Fake Software Sites to Spread Sainbox RAT & Hidden Rootkit

By /

Listen to this Post

Featured Image
Cyber Espionage Campaign Targets Chinese Speakers Through Imitation Software Websites

A sophisticated new cyberattack campaign has emerged, using fake websites that mimic legitimate software downloads like WPS Office, Sogou, and DeepSeek to spread powerful malware. This operation has been attributed, with medium confidence, to the Chinese state-linked hacking group known as Silver Fox (also called Void Arachne).

These fraudulent websites deliver dangerous payloads including Sainbox RAT, a variant of the infamous Gh0st RAT, and a stealthy open-source Hidden rootkit. Most concerning is the groupā€™s targeting of Chinese-speaking users, utilizing Mandarin-language MSI installers hosted on fake domains like wpsice[.]com.

šŸŽÆ the Attack Campaign

In this latest operation, hackers are distributing malware-laced MSI installers masquerading as popular software tools. Once downloaded, the installer launches a legitimate-looking file called shine.exe. However, it is configured to sideload a malicious DLL file (libcef.dll), which triggers the malware infection.

The DLL then reads a local text file (1.txt) embedded in the installer, which contains shellcode to activate additional malicious payloads. One such payload is Sainbox RAT, a remote access trojan capable of data theft, surveillance, and further malware deployment.

In some cases, the payload also includes a rootkit driver, based on the open-source Hidden project, which is used to mask the malware’s presence on infected systems. This rootkit hides key processes and registry entries, allowing the threat actor to operate undetected.

These tactics

By continuously evolving its strategies and using familiar RATs with open-source stealth tools, Silver Fox avoids costly custom development while maintaining a high degree of control over compromised systems.

šŸ§  What Undercode Say:

Repeating Patterns in Cyber Espionage

This campaign showcases a textbook evolution of state-aligned cyber operationsā€”low-cost, high-impact tactics aimed at internal control and surveillance. The use of familiar Chinese-language tools and interfaces points directly at domestic targeting. Itā€™s not just about espionage; it’s also a warning of how even trusted-looking software platforms can be subverted.

Supply Chain & Trust Exploitation

Silver Fox capitalizes on user trust by mimicking widely-used productivity tools. This mirrors broader industry concerns about software supply chain vulnerabilitiesā€”not necessarily breaching a real vendor, but recreating a trusted download path that fools even cautious users.

Technical Sophistication Through Simplicity

Though technically straightforward, the malware chain is cleverly layered: sideloading DLLs, launching shellcode from text files, and embedding multiple stages into a single installer. Each component on its own is trivial, but together they form a complex and evasive attack mechanism.

Rootkit Use Indicates High-Value Targeting

Deploying a rootkit is a deliberate choiceā€”it suggests the hackers arenā€™t after casual credentials, but long-term, deeply buried access. Hidden rootkits indicate a desire to remain undetected for extended periods, ideal for surveillance or exfiltrating sensitive internal data over months.

Offensive Security Lessons

For cybersecurity defenders, this campaign highlights the importance of process behavior monitoring, especially with DLL sideloading, which often bypasses traditional antivirus tools. The inclusion of open-source rootkits also raises questions about how much visibility current endpoint security solutions truly provide.

āœ… Fact Checker Results:

The campaign is active and confirmed by multiple cybersecurity firms like Netskope and Morphisec.
Silver Foxā€™s attribution is consistent with past behavior and technical tradecraft.
Payload analysis validates the presence of Sainbox RAT and Hidden rootkit within installer chains.

šŸ”® Prediction:

With success in deploying stealth malware through fake websites, Silver Fox is likely to expand its attack surface, potentially targeting overseas Chinese-speaking communities, diaspora professionals, or academics. Future campaigns may involve mobile apps or AI tool clones masquerading as productivity software. Expect a rise in more convincingly cloned websites and possibly embedded malware in social media-based download links targeting similar demographics.

References:

Reported By: thehackernews.com
Extra Source Hub:
https://www.pinterest.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

Join Our Cyber World:

šŸ’¬ Whatsapp | šŸ’¬ Telegram

Related posts:

  1. How Russian Hackers Are Exploiting Signal Chats in a New Wave of Cyberattacks
  2. Iran-Linked Cyberattacks on US Firms: Escalating Digital Front in a Geopolitical Standoff
  3. US Strikes Back: New Visa Ban Targets Global Censors of American Speech

Explore More: