CyberSecurityBoard
Sponsor Register Login

Weaponized DeepSeek Installers Delivers Sainbox RAT and Hidden Rootkit

The fake installer drops three critical files: a legitimate executable named “Shine.exe,” a malicious DLL masquerading as “libcef.dll” (a legitimate Chromium Embedded Framework library), and a data file called “1.txt” containing encoded shellcode and the final payload. Netskope analysts identified this campaign during routine threat hunting activities, discovering that the fake installers deliver two primary malicious components: the Sainbox RAT, a variant of the notorious Gh0stRAT family, and a modified version of the open-source Hidden rootkit. When executed, the malicious MSI installer performs a deceptive dual operation, simultaneously installing the legitimate software to avoid user suspicion while deploying its malicious payload through a complex side-loading technique. The attack leverages fake installers masquerading as legitimate software downloads, including the popular AI chatbot DeepSeek, to deploy advanced persistent threats onto victim systems. This shellcode performs reflective DLL loading, injecting the Sainbox RAT directly into memory without touching the disk, thereby evading many traditional detection mechanisms and establishing a sophisticated command-and-control infrastructure for persistent system compromise. The malicious DLL subsequently reads the contents of “1.txt,” which contains a 0xc04-byte shellcode based on the open-source sRDI (Shellcode Reflective DLL Injection) tool. The core of this attack relies on DLL side-loading, a technique that exploits the Windows dynamic library loading process to execute malicious code. The malicious operation employs a multi-stage infection process that begins with carefully crafted phishing websites mimicking official software distribution pages. These counterfeit installers, primarily distributed as MSI files, contain sophisticated payloads designed to establish long-term system compromise while maintaining stealth through advanced evasion techniques. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis.

This Cyber News was published on cybersecuritynews.com. Publication date: Fri, 27 Jun 2025 14:20:12 +0000


Cyber News related to Weaponized DeepSeek Installers Delivers Sainbox RAT and Hidden Rootkit

Weaponized DeepSeek Installers Delivers Sainbox RAT and Hidden Rootkit - The fake installer drops three critical files: a legitimate executable named “Shine.exe,” a malicious DLL masquerading as “libcef.dll” (a legitimate Chromium Embedded Framework library), and a data file called ...
4 hours ago Cybersecuritynews.com
The Persistent Danger of Remcos RAT - From initial infection to persistent control, the Remcos RAT campaign exemplifies the evolving nature of cyber threats and the need for proactive defense measures. This ecosystem is supported by a diverse array of servers that function as command and ...
1 year ago Cyberdefensemagazine.com
Krasue RAT Uses Cross-Kernel Linux Rootkit to Attack Telecoms - Attackers likely tied the creators of the XorDdos Linux remote access Trojan have been wielding a separate Linux RAT for nearly two years without detection, using it to target organizations in Thailand and maintain malicious access to infected ...
1 year ago Darkreading.com
Digital Battlefield: Syrian Threat Group's Sinister SilverRAT Emerges - Cyfirma claims that the developers maintain a sophisticated and active presence on multiple hacker forums and social media platforms, as outlined by the cybersecurity company. Besides operating a Telegram channel offering leaked databases, carding ...
1 year ago Cysecurity.news
Rootkit Turns Kubernetes from Orchestration to Subversion - As software development focuses on continuous integration and deployment, orchestration platforms like Kubernetes have taken off, but that popularity has put them in attackers' crosshairs. Most successful attacks - at least those publicly reported - ...
1 year ago Darkreading.com
Wormable Linux Rootkit Attack Multiple Systems to Steal SSH Keys and Privilege Escalation - Cybersecurity researchers at ANY.RUN have uncovered a sophisticated attack leveraging the Diamorphine rootkit to deploy a cryptocurrency miner on Linux systems, highlighting the growing misuse of open-source tools in malicious campaigns. By replacing ...
1 month ago Cybersecuritynews.com
Threat Actors Exploiting DeepSeek's Popularity To Deploy Malware - To safely navigate AI models like DeepSeek while minimizing phishing and malware risks, users should utilize Criminal IP’s IP analysis service to verify server locations and network security. Cyber attackers have been creating phishing websites ...
4 months ago Cybersecuritynews.com
Weaponized Google Ads Attacking DeepSeek Users to Deliver Malware - The attack uses convincingly crafted fake advertisements that appear at the top of Google search results, mimicking legitimate DeepSeek ads but redirecting victims to malicious websites designed to distribute malware. Cybercriminals have launched a ...
2 months ago Cybersecuritynews.com
Android Malware Mimic As DeepSeek To Steal Users Login Credentials - The malware campaign uses a deceptive phishing website that closely mimics the official DeepSeek platform, tricking users into downloading a malicious application that steals login credentials and sensitive information. Once installed, the malicious ...
3 months ago Cybersecuritynews.com
DeepSeek R1 Jailbreaked To Develop Malware, Such As A Keylogger And Ransomware - Cyber Security News - These findings suggest that while DeepSeek R1 doesn’t provide turnkey malware solutions, it significantly lowers the technical barrier for creating harmful software, potentially accelerating malicious actors’ capabilities in developing ...
3 months ago Cybersecuritynews.com
South Korea Confirm DeepSeek Sending Data Chinese ByteDance Servers - The findings follow a technical audit revealing critical security flaws, including unencrypted data transfers, deprecated encryption protocols, and deliberate bypassing of Apple’s App Transport Security (ATS) safeguards. Data Sovereignty Concerns: ...
4 months ago Cybersecuritynews.com
Krasue RAT Malware: A New Threat to Linux Systems - In the field of cybersecurity, a potent and covert threat called Krasue has surfaced. This remote access trojan has been silently infiltrating Linux systems, primarily targeting telecommunications companies since 2021. This blog post will explore ...
1 year ago Securityboulevard.com
SideCopy Exploiting WinRAR Flaw in Attacks Targeting Indian Government Entities - The Pakistan-linked threat actor known as SideCopy has been observed leveraging the recent WinRAR security vulnerability in its attacks targeting Indian government entities to deliver various remote access trojans such as AllaKore RAT, Ares RAT, and ...
1 year ago Thehackernews.com CVE-2023-38831 APT3 SideCopy Transparent Tribe
A New, Spookier Gh0st RAT Malware Haunts Global Cyber Targets - A new variant of the infamous "Gh0st RAT" malware has been identified in recent attacks targeting South Koreans and the Ministry of Foreign Affairs in Uzbekistan. The Chinese group "C.Rufus Security Team" first released Gh0st RAT on the open Web in ...
1 year ago Darkreading.com
DeepSeek Generating Fully Working Keyloggers & Data Exfiltration Tools - Security researchers at Unit 42 have successfully prompted DeepSeek, a relatively new large language model (LLM), to generate detailed instructions for creating keyloggers, data exfiltration tools, and other harmful content. The research findings ...
3 months ago Cybersecuritynews.com
Microsoft: New RAT malware used for crypto theft, reconnaissance - Last but not least, Microsoft says StilachiRAT allows command execution and potential SOCKS-like proxying using commands from a command-and-control (C2) server to the infected devices, which can let the threat actors reboot the compromised system, ...
3 months ago Bleepingcomputer.com
Chinese hackers target Russian govt with upgraded RAT malware - Security researchers at Kaspersky's Global Research and Analysis Team (GReAT) spotted the updated implant while investigating recent attacks where the attackers deployed the RAT malware using a malicious MMC script camouflaged as a Word ...
2 months ago Bleepingcomputer.com CVE-2021-40449
FBI Shuts Down Warzone RAT; Cybercriminals Arrested - In a major victory against cybercrime, the FBI has successfully taken down the Warzone RAT malware operation. This operation led to the arrest of two individuals involved in the illicit activities. One of the suspects, 27-year-old Daniel Meli from ...
1 year ago Cysecurity.news
DeepSeek-R1 Prompts Exploited to Create Sophisticated Malware & Phishing Pages - Trend Micro researchers noted that these vulnerabilities can be weaponized through carefully crafted prompt attacks, where malicious actors design inputs specifically to achieve objectives like jailbreaking the model, extracting sensitive ...
2 months ago Cybersecuritynews.com
SugarGh0st RAT Delivered via Malicious Windows & JavaScript - RATs allow threat actors to execute the following malicious actions while remaining hidden from the victim:-. Recently, cybersecurity researchers at Cisco Talos discovered a malicious campaign that was found to be delivering a new RAT that's been ...
1 year ago Cybersecuritynews.com
FBI seizes Warzone RAT infrastructure, arrests malware vendor - The FBI dismantled the Warzone RAT malware operation, seizing infrastructure and arresting two individuals associated with the cybercrime operation. Daniel Meli, 27, a resident of Malta, was arrested last week for his role in the proliferation of ...
1 year ago Bleepingcomputer.com
Windows Incident Response: Human Behavior In Digital Forensics, pt II - Targeted Threat ActorI was working a targeted threat actor response, and while we were continuing to collect information for scoping, so we could move to containment, we found that on one day, from one endpoint, the threat actor pushed their RAT ...
1 year ago Windowsir.blogspot.com
'PhantomBlu' Cyberattackers Backdoor Microsoft Office Users via OLE - A malicious email campaign is targeting hundreds of Microsoft Office users in US-based organizations to deliver a remote access trojan that evades detection, partially by showing up as legitimate software. Threat actors previously have used the RAT ...
1 year ago Darkreading.com
Lifehacks for Analyzing Orcus Rat Data in 2023 - As the world of data becomes an increasingly integral part of our lives, it is important to understand how to analyze data from the Orcus Rat. This is because it can provide an even greater understanding of the trends in the market and how companies ...
2 years ago Thehackernews.com
Silver RAT Evades Anti-viruses to Hack Windows Machines - Hackers use Remote Access Trojans to gain unauthorized access and control over a victim's computer remotely. These malicious tools allow hackers to perform various malicious activities like the following without the user's knowledge:-. Recently, ...
1 year ago Cybersecuritynews.com

Latest Cyber News


Cyber Trends (last 7 days)


Trending Cyber News (last 7 days)