Threat Actors Impersonate WPS Office and DeepSeek to Spread Sainbox RAT

A malicious campaign has emerged, targeting Chinese-speaking users through fake installers of popular software such as WPS Office, Sogou, and DeepSeek.

This operation, attributed with medium confidence to the China-based adversary group Silver Fox, leverages phishing websites that mimic legitimate software portals to distribute malware payloads, primarily in the form of MSI files.

Sophisticated Phishing Campaign

These deceptive installers not only install the genuine software to maintain an illusion of legitimacy but also deploy the Sainbox RAT a variant of the infamous Gh0stRAT and a modified version of the open-source Hidden rootkit, enabling attackers to gain stealthy, persistent control over compromised systems.

– Advertisement –

The infection begins when unsuspecting users visit counterfeit websites designed to resemble official pages for widely used Chinese software.

Upon clicking the download button, victims are redirected to a malicious URL that delivers a fake installer.

Netskope’s analysis reveals that most of these installers are MSI files, with the WPS Office variant being a PE executable.

Focusing on the MSI files, the execution process involves running a legitimate binary named “Shine.exe,” which side-loads a malicious DLL called “libcef.dll,” a counterfeit version of the Chromium Embedded Framework library. Simultaneously, the genuine installer proceeds normally to avoid suspicion.

Technical Breakdown of the Infection Chain

During this process, a file named “1.txt” is dropped, containing shellcode and a malware payload.

When Shine.exe calls the “cef_api_hash” function in the malicious DLL, it sets up persistence by adding itself to the Windows registry Run key under the name “Management.”

It then reads the contents of “1.txt” into memory, redirecting control to the shellcode a 0xc04-byte segment based on the open-source sRDI tool for reflective DLL injection.

This shellcode loads a hidden DLL named “Install.dll” from within 1.txt, invoking its exported function “Shellex” to initiate the main malicious activity.

Further examination by Netskope identified the DLL payload as Sainbox RAT, which embeds another PE binary in its .data section a rootkit driver derived from the Hidden project.

This rootkit, installed as a service named “Sainbox” via the NtLoadDriver function, employs mini-filters and kernel callbacks to hide processes, files, and registry entries, while also protecting itself and associated processes from termination.

This stealth mechanism ensures that the RAT can operate undetected, granting attackers full control over the victim’s machine for activities like data exfiltration and additional payload deployment.

The use of open-source tools and commodity malware like Gh0stRAT variants highlights how adversaries can achieve sophisticated attacks with minimal custom development.

Netskope Threat Labs continues to track the evolution of Sainbox RAT and Silver Fox’s tactics, techniques, and procedures, noting the medium confidence attribution due to consistent patterns in phishing infrastructure, targeting, and tooling.

While acknowledging the inherent challenges in definitive adversary identification due to potential false-flag operations and shared resources among threat groups.

This campaign exemplifies the growing abuse of popular software brands and AI tools as lures in cybercrime, urging users to remain vigilant and verify download sources.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates