Threat Actors Impersonate WPS Office and DeepSeek to Spread Sainbox RAT

A malicious campaign has emerged, targeting Chinese-speaking users through fake installers of popular software such as WPS Office, Sogou, and DeepSeek.

This operation, attributed with medium confidence to the China-based adversary group Silver Fox, leverages phishing websites that mimic legitimate software portals to distribute malware payloads, primarily in the form of MSI files.

Sophisticated Phishing Campaign

These deceptive installers not only install the genuine software to maintain an illusion of legitimacy but also deploy the Sainbox RAT a variant of the infamous Gh0stRAT and a modified version of the open-source Hidden rootkit, enabling attackers to gain stealthy, persistent control over compromised systems.

The infection begins when unsuspecting users visit counterfeit websites designed to resemble official pages for widely used Chinese software.

Upon clicking the download button, victims are redirected to a malicious URL that delivers a fake installer.

Netskope’s analysis reveals that most ...