Netskope Threat Labs has uncovered an advanced cybercriminal campaign that utilizes counterfeit software installers to distribute potent malware, including the Sainbox RAT a variant of the notorious Gh0stRAT and a stealth-enhancing rootkit known as Hidden.
The multi-stage operation predominantly targets Chinese-speaking users, deploying malicious payloads disguised as legitimate installers for popular applications such as WPS Office, Sogou, and DeepSeek.
The campaign’s orchestration and tactics point to Silver Fox, a China-based threat actor, although attribution remains at medium confidence due to the nature of the evidence.
Phishing Sites Imitate Trusted Brands
The attack begins with phishing websites that convincingly mimic the official pages of widely used Chinese software.
Unsuspecting victims are lured into downloading installers that appear authentic but are in fact weaponized MSI files or in the case of WPS Office, a PE-based installer.
The phishing and installer content is exclusively in Chinese, further indicating a specific targeting of Chinese-speaking audiences.
Upon download, the victim receives a file which, once executed, initiates a multi-layered infection chain.
Malware Delivery via DLL Sideloading
Analysis of the installers revealed a consistent approach: the files execute a legitimate component called “Shine.exe” which is abused to sideload a malicious DLL masquerading as “libcef.dll” a commonly used library in the Chromium Embedded Framework.
Simultaneously, the genuine software is installed to avoid immediate suspicion. The malicious DLL, initiated via an exported function (“cef_api_hash”), first establishes persistence by registering “Shine.exe” under the Windows registry’s Run key.
It then loads a file named “1.txt” that contains both shellcode and a concealed malware payload.
The shellcode, occupying the initial segment of “1.txt”, employs techniques from the open-source sRDI tool to load a stripped DLL (with the “MZ” header removed to evade forensic detection) directly into memory. This DLL, identified as “Install.dll”, executes its payload through the “Shellex” export.
Upon execution, the shellcode launches the Sainbox RAT, a sophisticated variant of Gh0stRAT renowned for its remote access capabilities.
Within its .data section, the RAT embeds an additional PE binary a rootkit driver based on the open-source Hidden project.
This driver is loaded as a service named “Sainbox” using NtLoadDriver, leveraging mini-filters and kernel callbacks to conceal system objects and ensure the longevity of the malware.
The rootkit’s ability to protect processes, files, and registry entries makes detection and remediation challenging, while providing attackers with persistent, covert access to compromised systems.
The Sainbox RAT itself offers operators extensive control, allowing them to execute arbitrary code, steal sensitive data, and deploy further payloads.
This dual-pronged approach combining a commodity RAT with a robust rootkit demonstrates a calculated effort to maximize both access and stealth with minimal bespoke development.
Though multiple threat groups may share tools and infrastructure, the characteristics of this campaign especially the strategic targeting of Chinese users, the use of familiar RAT families and rootkits, and the deployment method via phishing suggest links to Silver Fox.
According to the Report, Netskope assesses this attribution with medium confidence, acknowledging the complex, evolving nature of adversary identification in modern cyber operations.
Netskope Threat Labs continues to monitor the progression of Sainbox RAT deployments and the broader tactics of the Silver Fox group, emphasizing the need for vigilance as attackers adopt ever more sophisticated and deceptive distribution tactics.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates
