Chinese Hackers Target Chinese Users With RAT, Rootkit
securityweek
Fake installers distributed through Chinese-language websites are infecting users with a remote access trojan (RAT) and a rootkit, Netskope reports.
Masquerading as legitimate software, such as WPS Office, Sogou, and DeepSeek, the installers were seen deploying a Gh0stRAT variant named Sainbox RAT, and the open source Hidden rootkit, likely to achieve stealthy access to victims’ systems.
The fake sites observed in this campaign, Netskope says, mimic the official websites of legitimate software. However, when the user downloads the fake installers (MSI files and a PE installer), the file is fetched from a different URL.
Upon execution, the MSI files run a legitimate file named ‘Shine.exe’, which is used to sideload a malicious DLL, and execute the genuine installer software to hide the nefarious operation. A TXT file containing shellcode and a malware payload is also dropped.
The DLL, a fake version of the libcef library, part of the Chromium ...
Copyright of this story solely belongs to securityweek . To see the full text click HERE