In a recent cybersecurity development, the Chinese state-sponsored hacking group known as Silver Fox, also referred to as Void Arachne, has been identified leveraging counterfeit websites to distribute malicious software targeting Chinese-speaking users. This campaign involves the dissemination of the Sainbox Remote Access Trojan (RAT) and the Hidden rootkit through deceptive platforms mimicking legitimate software providers.
Deceptive Tactics and Malware Deployment
The attackers have created fraudulent websites that closely resemble those of popular software applications such as WPS Office, Sogou, and DeepSeek. For instance, a fake domain named wpsice[.]com has been used to distribute malicious MSI installers presented in the Chinese language, indicating a focus on Chinese-speaking individuals. Upon downloading and executing these installers, a legitimate executable named shine.exe is launched, which then sideloads a malicious DLL file, libcef.dll, using DLL side-loading techniques. This process ultimately leads to the execution of the Sainbox RAT, a variant of the well-known Gh0st RAT, granting attackers unauthorized access to the compromised systems.
Rootkit Integration for Stealth
In addition to the RAT, the malware package includes a rootkit based on the open-source project Hidden. This rootkit is embedded within the payload and can be executed depending on the malware’s configuration. Its primary function is to conceal malicious processes and Windows Registry keys, thereby enhancing the stealth capabilities of the attack and making detection and removal more challenging.
Historical Context and Attribution
Silver Fox has a history of employing similar tactics. In July 2024, the group targeted Chinese-speaking Windows users with fake Google Chrome sites to deliver Gh0st RAT. Earlier, in February 2025, they utilized bogus sites advertising the web browser to distribute ValleyRAT (also known as Winos 4.0), another variant of Gh0st RAT. These consistent methodologies have led cybersecurity researchers to attribute the current campaign to Silver Fox with medium confidence, citing similarities in tradecraft with previous operations.
Implications and Recommendations
The use of variants of commodity RATs like Gh0st RAT and open-source kernel rootkits such as Hidden allows attackers to maintain control and stealth without extensive custom development. This approach underscores the evolving nature of cyber threats and the importance of vigilance among users and organizations.
To mitigate such risks, it is crucial to:
– Verify Software Sources: Always download software from official and reputable sources.
– Implement Robust Security Measures: Utilize advanced threat detection systems capable of identifying and blocking malicious activities.
– Educate Users: Conduct regular training sessions to raise awareness about phishing tactics and the importance of scrutinizing download sources.
– Regularly Update Systems: Ensure that all software and systems are up-to-date with the latest security patches to prevent exploitation of known vulnerabilities.
By adopting these practices, individuals and organizations can enhance their defenses against sophisticated cyber threats like those posed by Silver Fox.
