A new company has been noted that uses fake websites that advertise popular software, such as WPS Office, Sogou and Deepseek to deliver Sainbox Rat and hidden Rootkit with open source.
Activities has been linked to the average confidence of the Chinese hacking group called A silver fox (AKA VOID ARACHNE), citing similarities in TradeCraft with previous threatening companies.
It has been revealed that phishing sites (“WPSICE (.) Com”) distribute malicious MSI installations in Chinese, indicating that the company’s goal is Chinese speakers.
“Far Loads on malicious programs include Rat Sainbox, GH0St Rats Option and Hidden Rootkit option with open source,” “Netskope Labs Labs Leandra Fros – Note.
This is not the first time the threat actor appealed to this regime. In July 2024. Esentire minute A company aimed at Chinese Windows users with fake Google Chrome sites to deliver GH0St rats.
Then earlier in February, Morphisec disclosed Another company that also used fake sites by advertising the web browser that distributed Valleyrat (AKA WINOS 4.0), another version of the GH0St rats.
Valleyrat was First documented According to ProfofPoint in September 2023 as part of a company that also highlighted users who spoke Chinese with Sainbox Rat and Purple Fox.
In the last wave of the attack, noticed by NETSKOPE, malicious MSI installations downloaded from the websites designed to launch the legal executable file called “Shine.exe”, which loads the rogue dll “Libcef.dll” using DLL loading technologies.
The main purpose of the DLL is to extract the shell from the text file (“1.Txt”), which is present in the installation, and then run it, eventually lead to other useful DLL load, remote Tajo called Sainbox.
“In the .data section analyzed, another binary PE is contained, which can be executed, depending on the configuration of malware,” Fross explained. “A built-in file is a Routkit driver based on an open source project Hidden“
While Sainbox comes with the capabilities to download additional useful loads and theft of data, hidden offers attackers array hidden features to hide malicious programs, and the Windows registry keys on the compromised hosts.
“Using options for commodity rats such as GH0St rat, and open source cores, such as hidden, giving attackers control and stealth without demanding great custom development,” Netcope said.
