A China-linked cyber-espionage group is using fake installers for popular Chinese-language software, including DeepSeek’s large language model, to infect devices across Taiwan.
AI Lures Are the New Bait in Cyber Espionage
A new phishing campaign is quietly spreading across Taiwanese devices — and it’s got all the hallmarks of a state-sponsored job. At the heart of it: a fake installer for DeepSeek’s AI-powered chatbot, the R1 large language model.
The attackers, speaking your language — quite literally — lure victims through Mandarin-language phishing sites and fake installers that look almost too convincing. Once clicked, the installer actually does what it promises — installs the software — but also slips in a nasty piece of malware.
Silver Fox Strikes Again
This isn’t the first time we’ve seen this group.
Silver Fox, a China-affiliated threat actor with a history of espionage campaigns, is believed to be behind the latest attack. Cybersecurity analysts say their fingerprints are all over it. Ray Canzanese from Netskope says the group often targets Taiwanese citizens and organizations, sometimes without a clearly defined mission.
“They just throw these lures out there,” says Canzanese. “It’s old-school phishing, but now they’re dressing it up with trendy software like DeepSeek.”
The success rate? Not massive. But in cyber-espionage, you don’t need a 90% hit rate. One slip-up is often enough.
Why DeepSeek, WPS Office, and Sougou?
Because people trust them. And trust, in this case, is what gets abused.
These are household names across Chinese-speaking communities. That’s precisely why they’re the perfect bait. Cybercriminals don’t need to reinvent the wheel — they just piggyback off what’s already popular.
Here’s how it works:
-
Victim searches for a software installer
-
Lands on a phishing page written in Mandarin
-
Downloads the fake installer
-
Software installs — but so does the Sainbox RAT
No alarms go off. No red flags. The malware just quietly takes root in the background.
From RATs to Rootkits: A Familiar Toolkit
Let’s talk about what gets installed along with your AI chatbot or productivity suite.
First up is Sainbox RAT, a variant of Gh0stRAT. It’s not new, but it’s still dangerous. The software lets attackers do whatever they want on your system — download new tools, exfiltrate data, or even run ransomware if they feel like switching it up.
Then there’s “Hidden,” another rootkit Silver Fox sometimes drops in. As its name suggests, it’s all about stealth. It burrows deep, evading antivirus tools and hiding other payloads.
These aren’t just tools of curiosity; they’re surgical cyber-espionage weapons.
The Tricks They Keep Using Still Work
You’d think these techniques would’ve run their course by now. But surprisingly, they haven’t.
Peter Girnus, senior threat researcher at Trend Micro, points out that techniques like DLL sideloading and BYOVD (Bring Your Own Vulnerable Driver) are still incredibly common.
“The attackers abuse the way Windows handles DLLs,” he says. “They load malicious code through apps you already trust.”
This isn’t theoretical. Earlier this year, Check Point researchers saw Silver Fox use an old driver to escalate privileges on victims’ machines. Same old trick, new disguise.
Familiar Malware, New Tricks
Gh0stRAT — once leaked — became the digital equivalent of an open bar at a hacker convention. Everyone started using it. Chinese threat groups, in particular, made it their go-to for years.
Silver Fox took it a step further with Sainbox. And they didn’t stop there. Back in late 2024, they — along with another group called Void Arachne — crafted Winos4.0, a framework built on top of Gh0stRAT.
What did they use to spread that one? Fake game utilities. It’s not hard to see the pattern.
| Malware/Tool | Purpose | Distribution Method |
|---|---|---|
| Gh0stRAT | Full remote control | Embedded in fake software |
| Sainbox RAT | Data theft, command execution | Bundled with fake DeepSeek installer |
| Hidden Rootkit | Payload concealment | Dropped after initial compromise |
| Winos4.0 Framework | Multi-stage espionage & persistence | Fake gaming tools & utilities |
Each tool has a role. And in combination, they give attackers everything they need to dig in and stay hidden.
From Espionage to Cybercrime for Hire
Silver Fox isn’t just snooping on state secrets. Sometimes, it’s all about the money — or at least, giving that appearance.
Experts say the group mixes up its motivations, engaging in financially driven attacks or covering their spying campaigns by looking like cybercriminals. It’s a smokescreen, a messy one, but often good enough to mislead defenders for a while.
They’ve been caught hitting:
-
Healthcare networks, compromising patient data
-
Government infrastructure
-
Industrial systems, with unknown long-term consequences
Lessons: Not New, But Still Ignored
The takeaways from all this aren’t surprising. But they are urgent.
You’d think by now, most organizations would be locking down their networks, installing proper detection systems, and educating staff about phishing. But too often, that’s not happening fast enough.
As Girnus from Trend Micro puts it, a few simple strategies can make a big difference:
-
Train employees to recognize phishing
-
Use behavioral monitoring for strange activity
-
Enforce least-privilege access
-
Implement zero-trust principles
It’s not rocket science. But when ignored, it lets old tricks keep working.
A Battle Playing Out in the Background
Most people won’t even realize there’s a war happening quietly in the background of their daily tech usage. They download a chatbot. A word processor. A search app. Something benign.
Behind the scenes, their systems become part of something bigger — a quiet, ongoing digital cold war. Taiwan is in the crosshairs. Again.
And yet, despite the headlines, the phishing pages, the malware breakdowns — people keep clicking.
