Chinese Hacking Group “Silver Fox” Deploys Sainbox RAT and Hidden Rootkit via Fake Software Websites: What You Need to Know

Cybercrime is evolving fast—and so are the tactics of the threat actors behind it. If you or your organization rely on popular software like WPS Office, Sogou, or DeepSeek, there’s a new threat you need to be aware of. Meet “Silver Fox,” a Chinese hacking group that’s turning fake websites into powerful weapons, delivering stealthy malware like Sainbox RAT and the Hidden rootkit straight onto unsuspecting users’ machines.

But what exactly is going on, and why should you care—even if you’re not the direct target? Let’s dive into the details, so you can better protect yourself, your team, and your data.

The Anatomy of the Attack: How Silver Fox Tricks Users

Imagine you’re a Chinese-speaking user searching for WPS Office, a popular office suite. You find what looks like an official website—only it’s a cleverly crafted fake (like “wpsice[.]com”). You download what appears to be a legitimate MSI installer. Little do you know, you’ve just opened a door to advanced malware.

The Fake Website Ruse

Silver Fox’s playbook hinges on believable phishing websites that masquerade as trusted software vendors. These sites, often in Chinese, are designed to lure users who are simply looking to download familiar programs.

Targeted Language: The installers and websites are in Chinese, signaling that Silver Fox is after Chinese-speaking users.
Popular Software Fakes: WPS Office, Sogou, DeepSeek, and even browsers like Chrome have all been impersonated.

Here’s why that matters: Even the most tech-savvy users can be duped if a site looks authentic enough. This isn’t just about careless clicking—it’s about increasingly sophisticated social engineering.

What Happens Once You Click “Download”?

Let’s break down the technical attack chain in plain language.

The Malware Delivery Process

User downloads a booby-trapped MSI installer from the fake site.
This installer launches a real executable (“shine.exe”)—so nothing seems amiss.
But in the background, a rogue DLL file (“libcef.dll”) is loaded using a trick called DLL side-loading. Think of this as sneaking a fake ID past a bouncer by attaching it to a real passport.
The rogue DLL extracts hidden shellcode from a file (“1.txt”) included with the installer.
This shellcode deploys the true payload: the Sainbox RAT (Remote Access Trojan).
Embedded within the payload is an additional surprise—a stealthy rootkit based on the open-source project Hidden.

So, one simple download can lead to a layered, persistent compromise. And because the malware uses legitimate files in its launch process, traditional antivirus tools may not catch it.

Deep Dive: Sainbox RAT and Hidden Rootkit Explained

Wondering what makes these particular malware tools dangerous? Let’s demystify them.

Sainbox RAT: The Spy in Your System

RAT stands for Remote Access Trojan, a tool that lets attackers control your computer from afar.
Sainbox is a variant of the notorious Gh0st RAT, designed to:
Steal data
Download and run more malware
Monitor user activity

This means attackers can quietly exfiltrate sensitive information or use your machine as a launchpad for further attacks.

Hidden Rootkit: The Invisible Cloak

A rootkit is like an invisibility cloak for malware, making it almost impossible to spot.
Hidden is an open-source rootkit project, adapted here for stealth on Windows systems.
It hides malware files, processes, and even registry keys, helping attackers evade detection for months.

Here’s the kicker: These tools are available “off the shelf,” so attackers don’t need to build everything from scratch—making sophisticated threats more accessible to even less technical cybercriminals.

Silver Fox’s Track Record: Not Their First Rodeo

If you’re thinking, “Haven’t I heard of attacks like this before?”—you’re right.

July 2024: Silver Fox used fake Chrome download sites to push Gh0st RAT.
February 2024: Another campaign impersonated a web browser to deliver ValleyRAT (another Gh0st RAT variant).
September 2023: ValleyRAT and Sainbox RAT were served up to Chinese users alongside Purple Fox malware.

Each wave leverages the same basic formula: fake site + familiar software + sneaky malware. The consistency and evolution of these tactics are a warning sign that Silver Fox isn’t going away anytime soon.

Why Should You Care? The Bigger Picture

It’s tempting to dismiss this as a “foreign problem” or something that only affects Chinese speakers. But these tactics—and the software supply chain weaknesses they exploit—are global.

Attackers can easily adapt these methods for other languages or regions.
Commodity RATs and open-source rootkits lower the bar for cybercrime everywhere.
Fake websites targeting popular software are a favorite trick worldwide.

Here’s what this means for you: Anyone can be a target, and everyone should be vigilant.

Protecting Yourself: Practical Steps

So, how can you stay safe?

Only download software from verified, official websites.
Double-check URLs for subtle misspellings or odd domain names.
Use multi-layered security software that detects unusual behavior—not just known threats.
Stay updated on the latest phishing and malware trends (like this one!).
Train your team: Social engineering is often the weakest link.

Remember: A few seconds of caution can save hours (or months) of cleanup.

FAQ: People Also Ask

Q1: What is Sainbox RAT and why is it dangerous?
A: Sainbox RAT is a remote access trojan (RAT) that allows attackers to control infected machines, steal sensitive data, and deliver additional malware. Its stealthy nature makes it hard to detect and remove.

Q2: How can I recognize fake software websites?
A: Look for small inconsistencies in URLs, spelling errors, poor design, or unusual installer behavior. Always cross-verify with the official vendor’s site.

Q3: What is DLL side-loading, and how does it help malware?
A: DLL side-loading is when malicious code is loaded by a trusted executable through a rogue DLL. It helps malware blend in and evade traditional security tools.

Q4: Can open-source malware like Hidden rootkit be used outside China?
A: Absolutely. Open-source tools can be leveraged by attackers anywhere, making these threats a global concern.

Q5: How do I remove malware like Sainbox RAT and Hidden rootkit?
A: Removal can be complex—rootkits especially are designed to hide. Use reputable security software, and consider consulting an IT professional for deep cleaning.

Final Takeaway: Stay Smart, Stay Skeptical

Silver Fox’s latest campaign is a stark reminder: cybercriminals are constantly refining their tactics, and anyone can fall victim to convincing fakes. By staying informed, verifying downloads, and fostering a culture of cybersecurity awareness, you put yourself several steps ahead.

If you found this guide helpful, consider subscribing for more deep-dives into today’s most pressing cyber threats—or explore our related articles to keep your digital life secure. Stay safe out there!

Discover more at InnoVirtuoso.com

I would love some feedback on my writing so if you have any, please don’t hesitate to leave a comment around here or in any platforms that is convenient for you.

For more on tech and other topics, explore InnoVirtuoso.com anytime. Subscribe to my newsletter and join our growing community—we’ll create something magical together. I promise, it’ll never be boring!

Stay updated with the latest news—subscribe to our newsletter today!

Thank you all—wishing you an amazing day ahead!

Chinese Hacking Group “Silver Fox” Deploys Sainbox RAT and Hidden Rootkit via Fake Software Websites: What You Need to Know