Fake software installers distributed through Chinese-language websites are infecting users with a remote access trojan (RAT) and a rootkit, according to a report by Netskope.
These installers impersonate popular programs like WPS Office, Sogou, and DeepSeek. Once downloaded, they deploy a variant of Gh0stRAT known as Sainbox RAT, along with the open-source Hidden rootkit, which is likely used to maintain stealthy access to compromised systems.
Netskope observed that the malicious sites closely mimic the official pages of trusted software. However, the download links lead to different URLs, serving MSI files or a PE installer that begins the infection process.
When executed, the MSI files launch a legitimate file named "Shine.exe" that sideloads a malicious DLL while also initiating the real software installer to conceal malicious activity. A text file containing shellcode and a malware payload is also dropped during execution.
The malicious DLL, disguised as a version of the Chromium Embedded Framework’s libcef library, is triggered through a function in Shine.exe. This function sets up persistence, loads the text file contents into memory, and redirects execution to the embedded shellcode.
Using techniques from the open-source tool sRDI, the shellcode reflectively loads a second DLL into memory and calls two functions, one of which activates the malware.
The loaded DLL is the Sainbox RAT, which includes a rootkit driver stored in its data section. The rootkit, based on the Hidden project and embedded as a PE binary, is triggered under certain conditions.
According to Netskope, the rootkit’s main purpose is to hide processes, files, and registry entries. It achieves this using a mini-filter and kernel callbacks. It also protects itself and specified processes, and features a user interface accessed through IOCTL commands.
Sainbox RAT gives attackers control to download additional payloads, extract information, and perform various unauthorized actions. The Hidden rootkit enhances stealth by making malicious components invisible, blocking process termination, and preventing detection.
Based on tactics, techniques, and procedures observed in the campaign, along with the use of fake sites and Chinese-language software installers, Netskope attributes the operation to the China-linked Silver Fox group. The group has been active for at least a year and may be an advanced persistent threat group posing as a cybercrime operation.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
