Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Chinese Hackers Target Chinese Users With RAT, Rootkit

China-linked Silver Fox hacking group is targeting Chinese users with fake installers carrying a RAT and a rootkit.

Fake installers distributed through Chinese-language websites are infecting users with a remote access trojan (RAT) and a rootkit, Netskope reports.

Masquerading as legitimate software, such as WPS Office, Sogou, and DeepSeek, the installers were seen deploying a Gh0stRAT variant named Sainbox RAT, and the open source Hidden rootkit, likely to achieve stealthy access to victims’ systems.

The fake sites observed in this campaign, Netskope says, mimic the official websites of legitimate software. However, when the user downloads the fake installers (MSI files and a PE installer), the file is fetched from a different URL.

Upon execution, the MSI files run a legitimate file named ‘Shine.exe’, which is used to sideload a malicious DLL, and execute the genuine installer software to hide the nefarious operation. A TXT file containing shellcode and a malware payload is also dropped.

The DLL, a fake version of the libcef library, part of the Chromium Embedded Framework (CEF), starts in a function called by Shine.exe. The function sets persistence, loads the contents of the TXT file in memory, and redirects the control flow to the start of the shellcode.

Based on the open source tool sRDI, the shellcode is meant to reflectively load a DLL into memory and call two functions, including one that starts the malicious payload’s activity.

Advertisement. Scroll to continue reading.

The DLL payload was identified as the Sainbox RAT, which contained in its .data section a rootkit driver based on the Hidden project. Embedded as a PE binary, the rootkit would be executed in certain malware configurations.

“The primary goal of the rootkit is to conceal items such as processes, files, and registry keys and values. It does so by using a mini-filter as well as kernel callbacks. It can also protect itself and specific processes, and contains a user interface that is accessed using IOCTL,” Netskope says.

The Sainbox RAT allows attackers to fetch and run additional payloads, steal information, and perform other malicious actions. The Hidden rootkit provides stealth by hiding payloads, preventing process termination, and preventing detection.

According to Netskope, the campaign appears to have been orchestrated by the China-linked Silver Fox hacking group, based on the employed TTPs, the use of fake websites and installers for popular Chinese software, and targeting.

Silver Fox has been around for at least one year and some researchers believe it may be an APT masquerading as a cybercrime group. 

Related: Hackers Abuse ConnectWise to Hide Malware

Related: SonicWall Warns of Trojanized NetExtender Stealing User Information

Related: Godfather Android Trojan Creates Sandbox on Infected Devices

Related: Microsoft Warns of Node.js Abuse for Malware Delivery

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more.

Register

This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments.

Register

People on the Move

Tracey Mustacchio has joined Everfox as Chief Marketing Officer.

Mark Carter has been appointed Chief Information Security Officer at Socure.

Spektrum Labs has named Mark Cravotta Chief Operating Officer.

More People On The Move

Expert Insights

Four decades of incident response experience suggest that exploits are often the symptom, not the root cause, of today’s cybersecurity failures.

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.