Listen to this Post
A New Breed of Cyber Deception
Cybercriminals are stepping up their game. Netskope Threat Labs has uncovered a multi-stage malware campaign that goes beyond conventional phishing attacks. Disguised as trusted Chinese software like WPS Office and Sogou, counterfeit installers are being used to infiltrate systems with a double dose of malicious software — the stealthy Sainbox RAT and the Hidden rootkit. The operation is remarkably calculated, deploying a mix of old and new techniques to maintain access, evade detection, and achieve long-term control over compromised systems. At the heart of the operation lies a possible Chinese threat group, codenamed Silver Fox, showing a deliberate focus on Chinese-speaking users.
Stealth Infiltration via Fake Software Installers
The campaign kicks off with phishing websites that convincingly mimic official download pages for widely-used Chinese applications. Once victims download and launch these installers, they unknowingly set off a complex infection chain. Disguised as MSI or PE files, the malicious installers execute a legitimate-looking component, Shine.exe, which in turn sideloads a harmful DLL file named libcef.dll. This method, known as DLL sideloading, helps the malware operate under the radar.
After execution, the malware registers itself in the Windows Registry for persistence, using a file called 1.txt that cleverly hides both shellcode and payloads. The shellcode extracts and runs a stripped DLL directly from memory — an advanced tactic that bypasses traditional antivirus detection. This process results in the deployment of Install.dll, which eventually triggers the notorious Sainbox RAT.
What makes Sainbox particularly dangerous is its versatility. Based on the well-known Gh0stRAT, Sainbox offers extensive control over infected systems, including remote command execution, data theft, and further malware deployment. Hidden within its data section is another layer of malware — a stealthy rootkit driver based on the open-source Hidden project. This driver leverages system-level mini-filters and kernel callbacks to hide processes, files, and registry entries, making it almost impossible to detect.
The driver is installed as a service named “Sainbox” using advanced API calls like NtLoadDriver, allowing the malware to remain deeply embedded in the system. The seamless integration of RAT and rootkit demonstrates a clear intent to establish long-term, undetected access.
Silver Fox is believed to be behind this campaign, although the attribution remains tentative. Their use of well-known malware families and focus on the Chinese language suggests a strategic and regional targeting strategy. Netskope maintains a medium-confidence level in tying the group to these attacks, highlighting the murky landscape of cyber threat attribution.
As this campaign evolves, it exemplifies how threat actors are refining their tactics to blend legitimacy with deception. The line between real and fake has never been thinner — and for victims, never more dangerous.
What Undercode Say:
The Rise of Legit-Looking Malware Delivery
This campaign is a textbook example of how malware developers are mastering psychological manipulation. By cloning legitimate software sites and installers, they remove the initial red flags most users rely on. The result? Users feel safe downloading software that’s infected from the start.
Technical Precision and Weaponization
The technical depth behind this campaign is notable. DLL sideloading, memory-only execution, and stripped headers from DLLs reflect a sophisticated understanding of digital forensics and evasion. The use of libcef.dll — a widely trusted component in Chromium applications — makes the malicious payloads blend seamlessly with real installations.
The Power of Multi-Stage Attacks
This isn’t a smash-and-grab attack.
Attribution Complexity
Though Silver Fox is the main suspect, the attribution remains speculative. Many threat groups share infrastructure or purchase malware kits from underground markets. Still, the use of the Chinese language across phishing sites and malware strings suggests a targeted, regional focus.
Hidden Project: A Double-Edged Sword
The incorporation of the Hidden project into the rootkit is significant. Being open-source, it allows threat actors to customize it extensively, and being publicly accessible makes it harder to trace authorship. But its known capabilities make it a powerful ally in any cybercriminal’s toolbox.
Detection Challenges for Defenders
Traditional endpoint protection tools struggle with detecting memory-injected payloads, especially when they lack typical markers like file headers. Moreover, using legit software as part of the infection process — like WPS Office — reduces the chance of suspicion by both users and automated systems.
Indicators of State-Sponsored Activity
The campaign’s scale, planning, and focus on Chinese users raise red flags. While not confirmed, the characteristics align with state-backed or state-tolerated threat actors. The goal could be espionage, data collection, or silent infrastructure compromise — all typical motives for government-aligned hackers.
Implications for Software Vendors
Vendors like WPS Office and Sogou may not be directly responsible, but this campaign highlights how their reputation can be weaponized. There’s a growing need for vendors to adopt and enforce stronger installer verification methods, like digital signatures and HTTPS enforcement, to help end-users differentiate real from fake.
Lessons for Cybersecurity Teams
CISOs and SOCs need to increase focus on behavioral analysis rather than signature-based detection. Memory forensics, unusual registry behavior, and anomalous driver loads should now be considered high-priority alerts.
The Future of Malware Distribution
This campaign is a sign of things to come. Fake software installations are evolving into the preferred delivery vector because they work — and because users rarely double-check what they download, especially when the interface looks familiar.
🔍 Fact Checker Results:
✅ The Sainbox RAT is a confirmed variant of Gh0stRAT with remote access capabilities
✅ The malware campaign uses real-looking installers for trusted Chinese apps to lure users
❌ No definitive proof ties the campaign to Silver Fox, only medium-confidence attribution
📊 Prediction:
Expect more campaigns using “lookalike installers” as threat actors see success with this low-friction, high-impact method. Open-source rootkits like Hidden will become even more common in the wild due to their modular design. Detection tools will need to evolve quickly, shifting from signature-based models to deeper memory and behavioral analysis — or risk falling behind a wave of undetectable threats. 🧠💻🛡️
References:
Reported By: cyberpress.org
Extra Source Hub:
https://www.reddit.com
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
