Jun 27, 2025Ravie LakshmananMalware / Cyber Assault
A brand new marketing campaign has been noticed leveraging pretend web sites promoting in style software program equivalent to WPS Workplace, Sogou, and DeepSeek to ship Sainbox RAT and the open-source Hidden rootkit.
The exercise has been attributed with medium confidence to a Chinese language hacking group referred to as Silver Fox (aka Void Arachne), citing similarities in tradecraft with earlier campaigns attributed to the risk actor.
The phishing web sites (“wpsice[.]com”) have been discovered to distribute malicious MSI installers within the Chinese language language, indicating that the targets of the marketing campaign are Chinese language audio system.
“The malware payloads embody the Sainbox RAT, a variant of Gh0st RAT, and a variant of the open-source Hidden rootkit,” Netskope Menace Labs researcher Leandro Fróes mentioned.
This isn’t the primary time the risk actor has resorted to this modus operandi. In July 2024, eSentire detailed a marketing campaign that focused Chinese language-speaking Home windows customers with pretend Google Chrome websites to ship Gh0st RAT.
Then earlier this February, Morphisec disclosed one other marketing campaign that additionally leveraged bogus websites promoting the net browser that distributed ValleyRAT (aka Winos 4.0), a special model of Gh0st RAT.
ValleyRAT was first documented by Proofpoint in September 2023 as a part of a marketing campaign that additionally singled out Chinese language-speaking customers with Sainbox RAT and Purple Fox.
Within the newest assault wave noticed by Netskope, the malicious MSI installers downloaded from the web sites are designed to launch a authentic executable named “shine.exe,” which sideloads a rogue DLL “libcef.dll” utilizing DLL side-loading methods.
The DLL’s main goal is to extract shellcode from a textual content file (“1.txt”) current within the installer after which run it, finally ensuing within the execution of one other DLL payload, a distant entry trojan referred to as Sainbox.
“The .information part of the analyzed payload accommodates one other PE binary that could be executed, relying on the malware’s configuration,” Fróes defined. “The embedded file is a rootkit driver based mostly on the open-source venture Hidden.”
Whereas Sainbox comes fitted with capabilities to obtain extra payloads and steal information, Hidden provides attackers an array of stealthy options to cover malware-related processes and Home windows Registry keys on compromised hosts.
“Utilizing variants of commodity RATs, equivalent to Gh0st RAT, and open-source kernel rootkits, equivalent to Hidden, offers the attackers management and stealth with out requiring a variety of customized growth,” Netskope mentioned.
Discovered this text attention-grabbing? Observe us on Twitter and LinkedIn to learn extra unique content material we put up.
