Campaign uses fake installers to distribute Sainbox RAT variant

Posted date 05/08/2025

On June 26, 2025, cybersecurity company Netskope published research revealing a new phishing campaign that uses fake installers for popular software tools such as WPS Office, Sogou, and DeepSeek. Based on the tactics, techniques, and procedures employed, the campaign appears to have been orchestrated by the China-based Silver Fox threat group. Furthermore, the research indicates that the selection of targets was aimed at Chinese-speaking users.

According to Netskope, the fake websites observed in this campaign mimic the official sites of legitimate software. However, when the user downloads the fake installers, the file is obtained from a different URL.

Posing as legitimate software, the installers contain the execution of a remote access Trojan (RAT) and a rootkit. In this campaign, they specifically deploy a variant of Gh0stRAT called Sainbox RAT and the so-called Hidden rootkit, based on open source code. Sainbox RAT allows attackers to execute payloads on victims' systems to steal information and perform other malicious actions. The Hidden rootkit hides these payloads, preventing processes from being terminated and avoiding detection by victims.