Campaign uses fake installers to distribute Sainbox RAT variant

Posted date 05/08/2025

05/08/2025

On June 26, 2025, cybersecurity company Netskope published research revealing a new phishing campaign that uses fake installers for popular software tools such as WPS Office, Sogou, and DeepSeek. Based on the tactics, techniques, and procedures employed, the campaign appears to have been orchestrated by the China-based Silver Fox threat group. Furthermore, the research indicates that the selection of targets was aimed at Chinese-speaking users.

According to Netskope, the fake websites observed in this campaign mimic the official sites of legitimate software. However, when the user downloads the fake installers, the file is obtained from a different URL.

Posing as legitimate software, the installers contain the execution of a remote access Trojan (RAT) and a rootkit. In this campaign, they specifically deploy a variant of Gh0stRAT called Sainbox RAT and the so-called Hidden rootkit, based on open source code. Sainbox RAT allows attackers to execute payloads on victims' systems to steal information and perform other malicious actions. The Hidden rootkit hides these payloads, preventing processes from being terminated and avoiding detection by victims.

References

26/06/2025

netskope.com

DeepSeek Deception: Sainbox RAT & Hidden Rootkit Delivery
27/06/2025

securityweek.com

Chinese Hackers Target Chinese Users With RAT, Rootkit
27/06/2025

thehackernews.com

Chinese Group Silver Fox Uses Fake Websites to Deliver Sainbox RAT and Hidden Rootkit
01/07/2025

redhotcyber.com

Nueva campaña de malware Silver Fox: propaga RAT y rootkits a través de sitios web falsos

Etiquetas