Silver Fox Unleashes Sainbox RAT & Hidden Rootkit Via Fake Software Installers
The Chinese hacker collective known as Silver Fox, also operating under the alias Void Arachne, has once again drawn the attention of cybersecurity experts. According to Netskope, a new malicious campaign has been uncovered in which attackers craft counterfeit websites mimicking popular software platforms—such as WPS Office, Sogou, and DeepSeek—in order to infect users’ systems with sophisticated spyware.
These fraudulent domains, including the discovered “wpsice[.]com,” are meticulously designed to imitate the official landing pages of well-known applications. The campaign’s primary focus appears to be a Chinese-speaking audience, as evidenced by the presence of MSI installers exclusively in the Chinese language.
Once executed, these deceptive installers deploy a suite of tools onto victims’ devices, notably including the Sainbox RAT—a modified strain of the notorious Gh0st RAT—alongside a stealthy kernel driver based on the open-source Hidden project, intended to obscure the malware’s presence and activity.
Netskope’s analysts emphasize that this method allows adversaries to effectively commandeer infected systems while concealing traces of their operation, all without investing in the development of advanced custom tooling. The use of publicly available tools like Hidden simplifies the attackers’ task while maintaining a high degree of operational stealth.
In this ongoing campaign, the threat actors employ a well-known technique known as DLL Sideloading. The installer retrieved from the fake site executes a legitimate binary called “shine.exe”, which then triggers a tampered version of the “libcef.dll” library. This malicious library extracts and executes harmful code hidden within a plain text file named “1.txt”, bundled inside the installation package.
The final stage involves the deployment of an additional DLL responsible for launching the Sainbox RAT and its associated stealth driver. This driver operates discreetly, concealing the trojan’s activity by hiding associated processes and registry keys.
It is noteworthy that Silver Fox has employed this tactic before. In the summer of 2024, researchers at eSentire documented a similar campaign in which fake Chrome browser sites were used to distribute Gh0st RAT. Then, in February of the current year, Morphisec identified yet another attack from the same group, this time using fraudulent browser promotion sites to spread a different variant of Gh0st RAT—known as ValleyRAT (also referred to as Winos 4.0).
According to Proofpoint, ValleyRAT was first observed in the autumn of 2023 and has primarily been deployed against Chinese-speaking targets. That campaign also featured other tools, including Sainbox RAT and Purple Fox.
Experts caution that the use of modified versions of well-known trojans and open-source rootkits enables adversaries to bypass baseline security measures while minimizing the costs associated with developing new malicious frameworks. This cost-effective yet targeted approach renders Silver Fox’s operations particularly insidious, especially given their linguistic and regional precision in selecting victims.
