Chinese Cyber Group Silver Fox Deploys Malicious Websites to Distribute Sainbox RAT and Concealed Rootkit

A recent campaign has been identified that utilizes counterfeit websites promoting popular software such as WPS Office, Sogou, and DeepSeek to facilitate the distribution of the Sainbox Remote Access Trojan (RAT) and the open-source Hidden rootkit.

This activity is attributed with medium confidence to a Chinese hacking group known as Silver Fox (also referred to as Void Arachne), based on notable similarities in operational techniques with previous campaigns ascribed to this threat actor.

The phishing sites, specifically “wpsice[.]com,” have been discovered disseminating malicious MSI installers presented in the Chinese language, signaling that the campaign’s intended audience comprises Chinese-speaking individuals.

According to Netskope Threat Labs researcher Leandro Fróes, “The malware payloads consist of the Sainbox RAT, a derivative of Gh0st RAT, and a variant of the open-source Hidden rootkit.”

This is not the first instance of Silver Fox employing this particular method. In July 2024, eSentire provided insights into a campaign targeting Chinese-speaking Windows users via counterfeit Google Chrome sites to deliver Gh0st RAT. Earlier in February, Morphisec revealed another operation leveraging falsified web pages advertising the Chrome browser to distribute ValleyRAT (also known as Winos 4.0), another variant of Gh0st RAT.

ValleyRAT was initially documented by Proofpoint in September 2023 as part of a broader campaign specifically targeting Chinese-speaking users alongside Sainbox RAT and Purple Fox.

In the latest wave of attacks reported by Netskope, the compromised MSI installers retrieved from these websites are engineered to execute a legitimate program named “shine.exe.” This program is designed to sideload a malicious DLL file, “libcef.dll,” utilizing DLL side-loading techniques.

The primary function of this DLL is to extract shellcode from a text file (“1.txt”) included in the installer and execute it, ultimately leading to the activation of another DLL payload, specifically the Sainbox remote access trojan.

Fróes elaborated, “The .data section of the analyzed payload contains an embedded PE binary that may be executed, contingent upon the malware’s configuration. This internal file serves as a rootkit driver based on the open-source project known as Hidden.”

Sainbox is equipped with functionalities to download supplementary payloads and exfiltrate data, while the Hidden rootkit provides attackers with an arsenal of stealth features, enabling them to obscure malware-related processes and Windows Registry keys on compromised systems.

Netskope notes that leveraging variants of widely available RATs, such as Gh0st RAT, in conjunction with open-source kernel rootkits like Hidden, affords attackers both control and stealth without necessitating extensive custom development.