Sihost Description

The protests in Hong Kong have been lasting for quite a while now, and the Chinese government appears to be losing its patience and resorting to some innovative techniques. Recently, it was uncovered that Beijing had employed a threat actor to target the protesters in Hong Kong. The targeted protesters would receive an email that is masked as a message from a law student from the West. In the message, the attackers pretend to be interested in the protests and ask the recipient for 'recommendations to end the Hong Kong protests.' The attackers would attach three files to the fraudulent email - two genuine ones and one that appears as an '. RTF' document but is a '. LNK' file. Masking this corrupted file as a harmless document is done by using a double extension, a rather old but effective trick.

Uses a ‘.PNG’ File Masked as an Image

The '. LNK' files serve as a link, and in the case of this Beijing campaign, the '. LNK' file leads to a 'msiexec.exe' file, which is genuine. The '. LNK' file that is attached to the fake email has to execute the 'msiexec.exe' file and have it download a file from GitHub. The file in question appears to be a '. PNG' image, but it operates as an executable. This executable is used to generate hundreds of fake files. Among them is the initial payload that is located in 'siHost64.'


The %APPDATA% folder would contain a Python script called 'siHost64.' This script is meant to:

  • Gain persistence by tampering with the Windows Registry.
  • Establish a connection with the attackers' C&C (Command & Control) server, which operates with the help of the DropBox API.
  • Uses the C&C server to grab files containing encrypted commands. Upon decrypting the commands, the threat will execute them. The results of these actions are stored in a new encrypted file. The threat will exfiltrate the file to the C&C server periodically.

In its essence, the Sihost threat is a tool for spying. This backdoor Trojan will allow its operators to gather information from the compromised host and transfer it to the attackers' server.

It is clear that the Sihost malware is not meant to target random users. This threat has a very low infection ratio, and its victims appear to be in the Chinese region, which has led experts to believe that the Sihost Trojan has been developed to target Honk Kong protesters exclusively. The threat is very well-developed, and it is clear that experienced cybercriminals have created the Sihost backdoor Trojan.