A new campaign has been observed leveraging fake websites advertising popular software such as WPS Office, Sogou, and DeepSeek to deliver Sainbox RAT and the open-source Hidden rootkit.
The activity has been attributed with medium confidence to a Chinese hacking group called Silver Fox (aka Void Arachne), citing similarities in tradecraft with previous campaigns attributed to the threat actor.
The phishing websites (“wpsice[.]com”) have been found to distribute malicious MSI installers in the Chinese language, indicating that the targets of the campaign are Chinese speakers.
“The malware payloads include the Sainbox RAT, a variant of Gh0st RAT, and a variant of the open-source Hidden rootkit,” Netskope Threat Labs researcher Leandro Fróes said.
This is not the first time the threat actor has resorted to this modus operandi. In July 2024, eSentire detailed a campaign that targeted Chinese-speaking Windows users with fake Google Chrome sites to deliver Gh0st RAT.
Then earlier this February, Morphisec disclosed another campaign that also leveraged bogus sites advertising the web browser to distribute ValleyRAT (aka Winos 4.0), a different version of Gh0st RAT.
ValleyRAT was first documented by Proofpoint in September 2023 as part of a campaign that also singled out Chinese-speaking users with Sainbox RAT and Purple Fox.
In the latest attack wave spotted by Netskope, the malicious MSI installers downloaded from the websites are designed to launch a legitimate executable named “shine.exe,” which sideloads a rogue DLL “libcef.dll” using DLL side-loading techniques.
The DLL’s primary objective is to extract shellcode from a text file (“1.txt”) present in the installer and then run it, ultimately resulting in the execution of another DLL payload, a remote access trojan called Sainbox.
“The .data section of the analyzed payload contains another PE binary that may be executed, depending on the malware’s configuration,” Fróes explained. “The embedded file is a rootkit driver based on the open-source project Hidden.”
While Sainbox comes fitted with capabilities to download additional payloads and steal data, Hidden offers attackers an array of stealthy features to hide malware-related processes and Windows Registry keys on compromised hosts.
“Using variants of commodity RATs, such as Gh0st RAT, and open-source kernel rootkits, such as Hidden, gives the attackers control and stealth without requiring a lot of custom development,” Netskope said.
