New campaigns have been observed offering Sainbox Rat and Open-Source Hidden Rootkit, leveraging fake websites advertising popular software such as WPS Office, Sogou, and Deepseek.
The activity stems from moderate confidence in a Chinese hacking group called Silver Fox (aka Void Arachne), citing the trademark similarity with previous campaigns attributed to threat actors.
The phishing website (“wpsice(.)com”) has been known to distribute malicious MSI installers to Chinese, indicating that the campaign’s goal is to be Chinese speakers.
“The malware payload includes the Sainbox Rat, the GH0st rat variant, and the open source hidden rootkit variant,” said Leandro Fróes, researcher at Netskope Threat Labs.
This is not the first time a threatening actor has relied on this trick. In July 2024, Esentire detailed a campaign targeting Chinese-speaking Windows users using fake Google Chrome sites to provide GH0st rats.
Then, this early February, Morphisec disclosed another campaign that utilizes fake sites promoting web browsers to distribute ValleyRat (aka Winos 4.0), another version of GH0st rats.
Valleyrat was first documented by ProofPoint as part of a campaign in September 2023 that selected Chinese-speaking users on Sainbox Rat and Purple Fox.
In the latest attack wave discovered by Netskope, malicious MSI installers downloaded from the website are designed to use DLL sideload technology to launch a legitimate executable named “libcef.dll” which is a malformed dll called “libcef.dll”.
The main purpose of DLLs is to extract shellcode from a text file (“1.txt”) that resides in the installer and then finally execute another DLL payload, a remote access trojan called Sainbox.
“The .data section of the analyzed payload contains another PE binary that may be run depending on the malware configuration,” explained Froes. “Embedded files are rootkit drivers based on hidden open source projects.”
While Sainbox is equipped with the ability to download additional payloads and steal data, Hidden provides attackers with an array of stealth features to hide malware-related processes and Windows registry keys on compromised hosts.
“Using variations of commodity rats, such as GH0st rats, open source kernel rootkits such as Hidden provide attacker control and stealth without the need for much custom development,” says Netskope.
