A new cyberattack campaign has been discovered targeting users in Taiwan, and its believed to be carried out by a Chinese threat group known as Silver Fox, also tracked as Void Arachne or Storm-0558. The attackers are using a fake installer for an AI tool called DeepSeek to trick victims into installing malware on their systems.
This campaign was uncovered by security researchers who noticed a fake DeepSeek R1 installer being used to deliver malware. The installer is actually a malicious MSI file, designed in Traditional Chinese, and is clearly aimed at users in Taiwan and Chinese-speaking communities. This is a classic case of social engineering, where victims are fooled into installing something that looks real but is actually harmful.
The malware used in this attack is a modified version of Gh0stRAT, a well-known remote access trojan (RAT). The modified version is called Sainbox RAT. Once it gets installed on the victim’s computer, the attacker can remotely control the system, steal sensitive data, and move laterally through the network. In some cases, it can also deploy rootkits like “Hidden” to hide its presence from antivirus tools and make it even harder to detect.
The attack method used here is known as DLL sideloading. This means the malware is placed next to a legitimate executable, usually a real DeepSeek or similar software file, and when the user runs the software, it unknowingly loads the malware too. This technique is often used by advanced threat actors because it helps them avoid detection and make their attacks look more legitimate.
Silver Fox is not a new name in the world of cyber threats. This group has been active for several years and is believed to have ties to Chinese state-sponsored operations. They’ve mostly focused on espionage and surveillance, targeting Taiwan, Hong Kong, and other politically sensitive regions. In past campaigns, they have used fake software related to Sogou Input Method, WPS Office, and Tencent Meeting to deliver similar payloads.
What’s important to note is that this current campaign is not highly targeted, it doesn’t aim at just one company or organization. Instead, it appears to be broadly aimed at anyone who might be interested in downloading DeepSeek or similar Chinese-language AI tools. This increases the potential impact significantly because it could affect regular users, developers, researchers, and even businesses.
Researchers from Proofpoint, The Hacker News, and Dark Reading all confirmed that this operation was discovered recently and is still active. They also mentioned that the malware infrastructure used in this campaign was designed to be stealthy and modular, allowing attackers to add or remove capabilities as needed.
The FBI and cybersecurity experts are advising users, especially in Taiwan and nearby regions, to be extra careful when downloading software from unknown or unofficial websites. It’s always safer to get tools directly from verified sources or company websites, even if a link or download seems trustworthy.
Security teams are also being advised to watch for signs of DLL sideloading, such as unusual DLL files appearing in application folders, and to monitor for remote access behavior that could indicate a RAT infection. It’s important to provide security awareness training to staff, especially for teams that work with software in the Chinese language or AI fields.
In short, Silver Fox is back with another clever trick to spy on users in Taiwan. By disguising malware as a popular AI tool, they’re trying to gain access to valuable information. As these attackers get smarter, staying alert and following basic cybersecurity hygiene becomes more important than ever.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
