A new cyber campaign uses fake websites advertising popular software to deliver two very dangerous forms of malware. These malicious websites distribute popular software like WPS Office, Sogou Pinyin, and the AI tool known as DeepSeek. This nefarious activity has been attributed with medium confidence to a Chinese hacking group that is named Silver Fox. The phishing websites have been found to distribute malicious installers specifically created for the Chinese language userbase.
This is certainly not the first time this threat actor has resorted to using this specific modus operandi. In July of 2024, a campaign targeted Chinese-speaking Windows users with fake Google Chrome browser installation sites. Earlier in February, another similar campaign leveraged bogus sites to distribute a different version of the Gh0st RAT. That specific malware variant, called ValleyRAT, was first documented by Proofpoint researchers in the previous year of 2023. These past events demonstrate a consistent pattern of using fake software websites to target a very specific demographic.
The primary malware payloads include the Sainbox RAT and a new variant of the open-source Hidden rootkit.
In this latest attack wave spotted by Netskope, malicious installers are downloaded from the fake software distribution websites. These installers are designed to launch a legitimate executable which then sideloads a specially crafted malicious DLL file. The primary objective of this specific DLL is to extract shellcode from a text file and then execute it. This process ultimately results in the execution of another DLL payload, which is a remote access trojan called Sainbox. The malware’s configuration can also execute an embedded file, which is a powerful rootkit driver based on Hidden.
The Sainbox remote access trojan is fitted with capabilities to download additional payloads and to steal sensitive data.
The Hidden rootkit offers the attackers an array of stealthy features to hide all their malicious-related processes. It can also effectively hide Windows Registry keys on any of the compromised hosts that have been infected. Using these commodity RATs and open-source rootkits gives attackers control and stealth without much custom development effort. This specific approach allows the Chinese hacking group to maintain stealthy control over the systems they have compromised.
Reference: