Silver Fox Campaign Uses Fake Software Sites to Spread RAT and Rootkit Malware

Red Dog Security

2 min read
Silver Fox Campaign Uses Fake Software Sites to Spread RAT and Rootkit Malware

Security researchers have uncovered a new malicious campaign, dubbed Silver Fox (also known as Void Arachne), which leverages spoofed software distribution websites to infect users with remote access tools and rootkits. These fake sites—posing as legitimate distributors of popular programs like WPS Office, Sogou, and DeepSeek—are used to deliver the Sainbox remote access trojan (RAT) alongside a modified version of the open-source Hidden rootkit.

According to Netskope Threat Labs, phishing domains such as wpsice[.]com are serving up malicious, Chinese-language MSI installers, strongly suggesting that the campaign targets Chinese-speaking users.

“The malware payload includes Sainbox RAT, a variant of Gh0st RAT, and a modified version of the open-source Hidden rootkit,” researchers noted.

This is not the first time Silver Fox has used such tactics. In the summer of 2024, eSentire reported a campaign using similar methods—malicious websites impersonating Google Chrome download portals to distribute Gh0st RAT to Windows users in China.

More recently, in February 2025, analysts at Morphisec documented another Silver Fox-linked operation that spread ValleyRAT (also known as Winos 4.0) along with a variant of Gh0st RAT via spoofed download portals.

In the current wave, Netskope explains, the malicious MSI installers drop a legitimate-looking file named shine.exe, which then loads a malicious DLL (libcef.dll) through a technique known as DLL side-loading. This DLL extracts and runs embedded shellcode from a file (1.txt) packaged within the installer. That shellcode then launches the final payload—the Sainbox RAT.

Additionally, the .data section of the analyzed sample contains another embedded PE binary: a rootkit driver derived from the Hidden project. This component may be activated depending on the malware’s configuration.

“The embedded file is a rootkit driver based on the open-source Hidden project,” Netskope confirmed.

The Sainbox RAT is capable of:

  • Exfiltrating sensitive data
  • Downloading and executing additional payloads
  • Maintaining remote access to infected machines

The accompanying Hidden rootkit enables stealth by:

  • Hiding malware processes, registry entries, and files
  • Using mini-filters and kernel callbacks to maintain concealment
  • Protecting itself and other components through IOCTL-accessible controls

According to the researchers, combining off-the-shelf RATs (such as Gh0st RAT) with open-source tools like Hidden allows attackers to maintain control and stealth without investing heavily in custom malware development.

“Using variations of commercial RATs and open-source rootkits allows attackers to maintain control and stealth without extensive in-house development,” Netskope concluded.

Read more