The thing is, if you put any arbitrary DNS name in the subject, Superfish will tag it as verify_fail. as you show, but it also passes through Subject Alternative Name untouched; if you just put the host you want to spoof in the SAN instead of the subject, Superfish will pass it through and the certificate will appear valid to the browser.

So, no need to chain to the "real" Superfish root cert, you just need to craft the SAN properly and chain to anything, or self-sign.