Ethical Hacking News
Chinese hackers are using fake websites to deliver Sainbox RAT and Hidden rootkit malware to Chinese-speaking users, highlighting the need for increased cybersecurity awareness and protection measures.
Chinese hackers affiliated with the threat actor Silver Fox have been using fake websites to deliver malware and rootkits. The fake websites, which appeared to be legitimate software download sites, distributed malicious MSI installers in Chinese. The malware payloads included a variant of Sainbox RAT and a variant of Hidden rootkit. Dll side-loading techniques were used to execute the malicious payloads, allowing for stealthy execution on compromised hosts. This is not the first time Silver Fox has resorted to this modus operandi; similar campaigns have targeted Chinese-speaking users in previous months.
In a recent and concerning development, Chinese hackers affiliated with the threat actor known as Silver Fox have been observed using fake websites to deliver malware and rootkits to unsuspecting targets. This latest campaign, which has been attributed to Silver Fox with medium confidence, is just one of several recent instances where this hacking group has resorted to this modus operandi.
The campaign in question involved the creation of fake websites that appeared to be legitimate software download sites, such as WPS Office and Sogou. These websites were found to distribute malicious MSI installers in the Chinese language, indicating that the primary target audience for this campaign was likely Chinese-speaking users. The malicious payloads included a variant of the Sainbox RAT (a type of remote access trojan) and a variant of the open-source Hidden rootkit.
According to Netskope Threat Labs researcher Leandro Fróes, the malware payloads distributed by the fake websites were designed to launch a legitimate executable named "shine.exe," which sideloads a rogue DLL "libcef.dll" using DLL side-loading techniques. The primary objective of the DLL was to extract shellcode from a text file ("1.txt") present in the installer and then run it, ultimately resulting in the execution of another DLL payload, a remote access trojan called Sainbox.
The DLL's payload contained a hidden rootkit driver based on the open-source project Hidden. This rootkit offered attackers an array of stealthy features to hide malware-related processes and Windows Registry keys on compromised hosts. The use of variants of commodity RATs (such as Gh0st RAT) and open-source kernel rootkits like Hidden gave the attackers control and stealth without requiring a lot of custom development.
This is not the first time that Silver Fox has resorted to this modus operandi. In July 2024, eSentire detailed a campaign that targeted Chinese-speaking Windows users with fake Google Chrome sites to deliver Gh0st RAT. Earlier in February, Morphisec disclosed another campaign that also leveraged bogus sites advertising the web browser that distributed ValleyRAT (aka Winos 4.0), a different version of Gh0st RAT.
The use of fake websites to deliver malware and rootkits is becoming increasingly prevalent among cyber threat actors. This is likely due to the fact that these types of attacks are relatively easy to execute and can be highly effective, as they often rely on social engineering tactics such as phishing. By creating fake websites that appear to be legitimate software download sites, Silver Fox has been able to trick users into downloading malware without raising suspicion.
The increasing use of fake websites to deliver malware and rootkits is a concerning trend in the world of cybersecurity. As cyber threats continue to evolve and become more sophisticated, it is essential for individuals and organizations to remain vigilant and take steps to protect themselves from these types of attacks.
In particular, it is essential to be aware of the tactics that Silver Fox has used in this campaign, including the use of fake websites and DLL side-loading techniques. By being aware of these tactics and taking steps to prevent them, individuals and organizations can significantly reduce their risk of falling victim to these types of attacks.
Furthermore, it is also important for individuals and organizations to keep up-to-date with the latest cybersecurity news and trends, as new threats are emerging all the time. This includes staying informed about the activities of threat actors such as Silver Fox and being aware of the tactics that they use.
In conclusion, the increasing use of fake websites to deliver malware and rootkits is a concerning trend in the world of cybersecurity. By understanding the tactics used by Silver Fox and taking steps to protect ourselves from these types of attacks, we can significantly reduce our risk of falling victim to these threats.
Related Information:
https://www.ethicalhackingnews.com/articles/Cybersecurity-Threat-Landscape-The-Increasing-Use-of-Fake-Websites-to-Deliver-Malware-and-Rootkits-ehn.shtml
https://thehackernews.com/2025/06/chinese-group-silver-fox-uses-fake.html
Published: Fri Jun 27 07:13:32 2025 by llama3.2 3B Q4_K_M
