Cybersecurity researchers have identified a sophisticated new campaign orchestrated by the Silver Fox threat group, also known as Void Arachne, targeting Chinese-speaking users through an elaborate network of fraudulent websites. This latest operation demonstrates the group’s evolving tactics in deploying advanced malware through deceptive distribution channels that mimic legitimate software platforms.
Campaign Overview and Attack Methodology
According to findings from Netskope Threat Labs, the Silver Fox group has established multiple fake websites designed to impersonate official download platforms for popular applications including WPS Office, Sogou, and DeepSeek. The attackers register domains that closely resemble legitimate developer resources, such as the discovered site wpsice[.]com, which distributes malicious MSI installers exclusively in Chinese language.
The campaign’s geographic focus on China and Chinese-speaking regions is evident from the localized nature of both the fake websites and the malware payload. This targeted approach suggests the group possesses detailed knowledge of their intended victims’ software preferences and online behavior patterns.
Technical Analysis of the Malware Payload
The malicious MSI installers employ a sophisticated multi-stage infection process that begins with the execution of a legitimate file called shine.exe. This binary subsequently loads a malicious library, libcef.dll, using a technique known as DLL side-loading. This method is particularly effective at evading detection because it leverages trusted processes to execute malicious code.
The loaded DLL’s primary function involves extracting and executing shellcode from an embedded text file named 1.txt within the installer package. This process culminates in the deployment of the Sainbox RAT, a modified version of the notorious Gh0st RAT trojan.
Malware Capabilities and Persistence Mechanisms
The Sainbox RAT incorporates extensive capabilities for remote system control and data exfiltration. Within the malware’s .data section, researchers discovered an additional PE binary that functions as a rootkit driver based on the open-source Hidden project. This dual-component approach provides attackers with comprehensive control over compromised systems while maintaining stealth.
The Hidden rootkit utilizes advanced kernel-level techniques including mini-filters and kernel callbacks to conceal processes, files, and Windows registry keys associated with the malicious software. The rootkit features a user interface accessible through IOCTL (Input/Output Control) commands, enabling threat actors to efficiently manage infected systems and configure concealment parameters.
Historical Context and Group Evolution
This campaign represents a continuation of Silver Fox’s established pattern of targeting Chinese users through fraudulent websites. In summer 2024, eSentire researchers documented a similar operation where the group distributed Gh0st RAT through fake Google Chrome download sites. More recently, in February 2025, Morphisec analysts identified another Silver Fox campaign distributing ValleyRAT (Winos 4.0) and additional Gh0st RAT variants through deceptive web resources.
The consistent evolution of the group’s tactics demonstrates their commitment to refining their attack methodology while maintaining focus on Chinese-speaking victims. This persistence suggests the campaigns may be financially motivated or potentially serve broader strategic objectives within the region.
Defense Implications and Threat Assessment
The Silver Fox group’s adoption of open-source rootkit technology combined with modified commercial RATs represents a significant threat evolution. This approach provides attackers with sophisticated capabilities without requiring extensive development resources, making such attacks more accessible to criminal organizations.
The use of legitimate-looking websites and trusted software names creates a particularly dangerous social engineering component that can deceive even cautious users. The technical sophistication of the DLL side-loading technique and kernel-level rootkit deployment indicates the group possesses advanced technical capabilities.
Organizations and individual users in targeted regions should implement comprehensive security measures including endpoint detection and response solutions capable of identifying advanced persistent threats. Users must exercise extreme caution when downloading software, ensuring they only use official developer websites and verify digital signatures before installation. Regular security awareness training focusing on recognizing fraudulent websites and social engineering tactics remains essential for maintaining robust cybersecurity posture against such sophisticated threat actors.
