Silver Fox Strikes with Fake Installers: Sainbox RAT and Hidden Rootkit Target Chinese Speakers
Ddos 
Phishing page example | Image: Netskope
Netskope Threat Labs has uncovered a stealthy malware campaign that leverages fake software installers to deploy a dangerous combo: the Sainbox Remote Access Trojan (RAT)—a variant of Gh0stRAT—and an open-source-based Hidden rootkit. These malicious packages were disguised as popular applications like WPS Office, Sogou, and DeepSeek, and delivered via phishing websites crafted to mimic official download portals.
Victims are lured through phishing pages entirely in Chinese, a clue that the campaign is targeting Chinese-speaking users. The malware arrives in the form of MSI files, which launch seemingly legitimate installers. Behind the scenes, they execute a file named Shine.exe, which side-loads a malicious libcef.dll file to initiate infection.
“All the MSI files analyzed contained pretty much the same behavior… execution of a legitimate file named Shine.exe, used to side-load a malicious DLL libcef.dll,” the report explains.
The DLL is a fake version of a legitimate Chromium Embedded Framework (CEF) component, and its job is to establish persistence via the Windows registry, read a shellcode-packed file (1.txt), and load the embedded malware payload into memory.
The shellcode extracted from 1.txt uses the sRDI technique (Shellcode Reflective DLL Injection), bypassing forensic tools by removing the standard “MZ” DOS header from the embedded DLL. The injected payload is the Sainbox RAT, whose exported function Shellex initiates command-and-control operations.
“The RAT provides the attacker full control of the victim’s machine, allowing them to download and execute other payloads, steal sensitive data, and more.”
What makes this campaign particularly dangerous is the addition of a rootkit driver embedded in the .data section of the Sainbox payload. Based on the open-source Hidden project, this rootkit:
- Conceals files, registry keys, and processes
- Protects malware from termination
- Offers control via IOCTL commands
The malware creates a Windows service named “Sainbox”, then loads the rootkit with NtLoadDriver—an indicator of low-level system access rarely seen in commodity malware.
“The rootkit uses a mini-filter as well as kernel callbacks… and contains a user interface that is accessed using IOCTL.”
Netskope attributes this campaign with medium confidence to the Silver Fox group, a China-based adversary. The group is known for targeting Chinese speakers using Gh0stRAT variants, phishing websites, and social engineering tactics tailored to local audiences.
While attribution in the cyber threat landscape remains fluid and complex, the TTPs observed in this campaign align with earlier Silver Fox operations.
Related Posts:
- MySQL Servers Under Attack: Threat Actors Exploiting UDFs to Inject Gh0stRAT, XWorm & Zoho Agents
- Silver Fox APT: Chinese Threat Actor Deploys Trojanized Medical Software in Stealth Espionage Campaign
- ValleyRAT Returns: Silver Fox APT Deploys New Delivery Techniques for Multi-Stage Attacks
- Silver Fox APT Targets Philips DICOM Viewers in Healthcare Espionage Campaign
- Silver Fox APT Targets Organizations with PNGPlug and ValleyRAT Malware
Donate