Unleashing Threats – DeepSeek Installers Spread Sainbox RAT and Concealed Rootkit

A sophisticated new malware campaign has been uncovered by Netskope Threat Labs, targeting Chinese users through fake installers for popular software, including WPS Office, Sogou, and DeepSeek.

The attackers behind this operation deliver advanced threats, including the Sainbox Remote Access Trojan (RAT), a variant of Gh0stRAT, and a Hidden rootkit, disguised as genuine software.

Evidence suggests with medium confidence that the campaign is the work of the China-based Silver Fox threat group, renowned for targeting Chinese-speaking victims using consistent techniques, infrastructure, and tooling.

Technical Analysis: Delivery, Persistence, and Malicious Payload

The scheme begins on phishing websites that mimic official software providers, where victims are tricked into downloading malicious installers.

Netskope researchers observed that most installers were MSI files, with notable exceptions, such as the WPS Office download, which was a PE installer.

Once executed, these files typically run a seemingly legitimate executable named Shine.exe, which is used to sideload a malicious DLL called libcef.dll, while simultaneously installing the legitimate software a clever ruse to avoid detection.

libcef.dll, a counterfeit version of the Chromium Embedded Framework library, executes a multi-stage attack: first, it persists by adding Shine.exe to the Windows Run registry key under “Management.”

Next, it reads shellcode and a malware payload from a file named 1.txt, which, once loaded into memory, is executed as shellcode that reflectsively loads an obfuscated DLL. This payload, Install.dll, contains the Sainbox RAT, a Gh0stRAT variant.

A secondary PE binary embedded in the RAT’s data section is the Hidden rootkit driver.

The RAT delivers complete system control to attackers, enabling data theft, executing additional payloads, and conducting surveillance.

Meanwhile, the Hidden rootkit conceals malicious activities by hiding processes, files, and registry entries, making detection difficult for defenders and endpoint security solutions.

Implications and Ongoing Research

This campaign exemplifies the trend of adversaries leveraging legitimate software brands and open-source tools to deliver sophisticated threats with limited custom development.

The use of commodity RATs and rootkits not only empowers attackers with stealthy persistence but also complicates attribution due to overlapping tactics, techniques, and procedures (TTPs) across different threat groups.

Netskope Threat Labs continues to monitor the evolution of the Sainbox RAT and the activities of the Silver Fox group.

Attribution remains an ongoing challenge, as adversaries frequently mask their identities or employ false-flag operations.

For security teams and end users, vigilance against phishing sites, careful verification of installer sources, and prompt analysis of Indicators of Compromise (IOCs) are essential to mitigating such threats.

Indicators of Compromise (IOCs)

• C2 addresses

45.207.12.71
154.23.221.136
206.119.124.126

• MSI files (MD5)

F0893BBA522061E58299C295F5838DFC
BA6A4699F59E557537BCB6463B4BA75B