A China-linked hacking group, known as Silver Fox, is actively targeting Taiwanese citizens with a new cyber-espionage campaign. The attackers use fake software installers for popular applications, including the DeepSeek AI chatbot, to trick users into downloading malware. This phishing scheme installs the promised software but also secretly deploys the Sainbox RAT, a powerful tool that gives hackers full remote control over the victim’s device.
Silver Fox Group Linked to the Attack
Cybersecurity analysts are confident that the China-affiliated threat actor Silver Fox is responsible for this latest wave of attacks. The group has a long history of targeting Taiwanese organizations and individuals, often using broad, opportunistic phishing campaigns. Ray Canzanese from Netskope noted that while the method is classic phishing, the bait has been updated to include trendy AI software.
The attackers dress up old-school phishing tactics with popular software like DeepSeek to lure in victims. While the campaign may not have a massive success rate, espionage operations only need a single successful breach to achieve their goals.
How the Deceptive AI Lure Works
The entire operation hinges on abusing the trust users have in well-known software. DeepSeek, WPS Office, and Sougou are household names in Chinese-speaking regions, making them perfect bait. The attackers don’t need to create something new; they simply piggyback on existing popularity.
The process is deceptively simple and effective:
- A user searches for a popular software installer online.
- They are directed to a convincing phishing website written in Mandarin.
- The user downloads and runs the fake installer.
- The legitimate software is installed, but the Sainbox RAT malware is also installed silently in the background.
Because the expected software installs correctly, the victim rarely suspects that their system has been compromised. No alarms are triggered, allowing the malware to operate undetected.
A Look Inside the Hacker’s Toolkit
The primary payload in this campaign is the Sainbox RAT, a customized variant of the notorious Gh0stRAT. This remote access trojan is not new, but it remains a dangerous and versatile tool. It allows attackers to steal data, execute commands, download additional malware, and maintain a persistent presence on the infected system.
In some cases, Silver Fox also deploys a rootkit named “Hidden” to conceal its malicious activities. This tool burrows deep into the operating system, making it incredibly difficult for antivirus software to detect and remove the malware. These are not simple tools; they are weapons built for surgical cyber-espionage.
| Malware/Tool | Purpose | Distribution Method |
| Gh0stRAT | Full remote control | Embedded in fake software |
| Sainbox RAT | Data theft, command execution | Bundled with fake DeepSeek installer |
| Hidden Rootkit | Payload concealment | Dropped after initial compromise |
| Winos4.0 Framework | Multi-stage espionage & persistence | Fake gaming tools & utilities |
Espionage with a Smokescreen
While the group’s primary motivation appears to be espionage, Silver Fox often mixes its tactics to create confusion. Researchers have observed the group engaging in what look like financially driven attacks, likely as a smokescreen to hide their true intelligence-gathering objectives. This makes it harder for defenders to determine the attackers’ ultimate goal.
The group’s targets are diverse and significant, including:
- Healthcare networks, where patient data has been compromised.
- Government infrastructure, a classic target for state-sponsored espionage.
- Industrial systems, where the long-term consequences of a breach are unknown.
This campaign is a reminder of the quiet digital cold war playing out in the background of everyday technology use. As attackers continue to use simple but effective tricks, users must remain vigilant about where they download software.
