Silver Fox Deploys ABCDoor Malware via Tax-Themed Phishing in India and Russia

Summary

The China-based Silver Fox cybercrime group launched a campaign using phishing emails impersonating the Indian Income Tax Department to distribute ABCDoor, a previously undocumented Python-based backdoor. The attack chain involved modified Rust-based loaders (RustSL) that downloaded ValleyRAT, with over 1,600 phishing emails detected between January and February 2026 targeting industrial, consulting, retail, and transportation sectors across multiple countries.

Full text

Silver Fox Deploys ABCDoor Malware via Tax-Themed Phishing in India and Russia Ravie LakshmananMay 04, 2026Malware / Network Security The China-based cybercrime group known as Silver Fox has been linked to a new campaign targeting organizations in Russia and India with a new malware called ABCDoor. The activity involved using phishing emails that mimic correspondence from the Income Tax Department of India in December 2025, followed by a similar campaign aimed at Russian entities. "Both waves followed a nearly identical structure: phishing emails were styled as official notices regarding tax audits or prompted users to download an archive containing a 'list of tax violations,'" Kaspersky said. "Inside the archive was a modified Rust-based loader pulled from a public repository. This loader would download and execute the well-known ValleyRAT backdoor." The campaign is estimated to have impacted organizations across the industrial, consulting, retail, and transportation sectors. More than 1,600 phishing emails were flagged between early January and early February. What's notable about these phishing waves is the delivery of a new ValleyRAT plugin that functions as a loader for a previously undocumented Python-based backdoor codenamed ABCDoor. The backdoor, per the Russian cybersecurity company, has been part of the threat actor's arsenal since at least December 19, 2024, and was put to use in cyber attacks beginning February or March 2025. The starting point of the attack chain is a phishing email containing a PDF file, which features two clickable links that lead to the download of a ZIP or RAR archive hosted on "abc.haijing88[.]com." In the campaign detected in December 2025, the malicious code is said to have been embedded directly within the files attached to the email. Present within the archive is an executable that mimics a PDF file. The binary is a modified version of an open-source shellcode loader and antivirus bypass framework called RustSL. Silver Fox's first recorded use of RustSL dates back to late December 2025. The end goal of the Silver Fox RustSL variant is to unpack the encrypted malicious payload, while implementing country-based geofencing and environment checks to detect virtual machines and sandboxes. While the GitHub variant only includes China in its country list, the bespoke version features India, Indonesia, South Africa, Russia, and Cambodia. One variant of the loader has been found to employ a novel called Phantom Persistence to establish persistence on the compromised host. It was first documented in June 2025. "This method abuses functionality designed to allow applications requiring a reboot for updates to complete the installation process properly," Kaspersky explained. "The attackers intercept the system shutdown signal, halt the normal shutdown sequence, and trigger a reboot under the guise of an update for the malware. Consequently, the loader forces the system to execute it upon OS startup." The encrypted payload loaded by RustSL results in the download of the encrypted ValleyRAT (aka Winos 4.0) malware, with the core component ("login-module.dll_bin") responsible for command-and-control (C2) communications, command execution, and retrieval and execution of additional modules. One of the custom modules deployed as part of the attack following a second geofencing check is ABCDoor, which contacts an external server via HTTPS and processes incoming messages to facilitate persistence, handle backdoor updates and removal, collect data such as screenshots, enable remote mouse and keyboard control, perform file system operations, manage system processes, and exfiltrate clipboard contents. As recently as November 2025, Silver Fox has been observed using a JavaScript loader to deliver ABCDoor, with the loader distributed via self-extracting (SFX) archives that were packaged inside ZIP archives likely sent via phishing emails. Newer versions of RustSL have since expanded the geographic focus to include Japan. The highest number of attacks has been detected in India, Russia, and Indonesia, followed by South Africa and Japan. The majority of loader samples discovered have employed tax-themed lures to imitate the infection sequence. "Since 2024, [Silver Fox] has evolved into a dual-track operational model that simultaneously conducts profitable extensive opportunistic activities and espionage activities," S2W said. "In the early stages, the group targeted China for attacks, but later expanded its operational scope to Taiwan and Japan." "The Silver Fox group primarily utilizes highly customized spear phishing techniques for initial infiltration, deploying sophisticated and diversified attack scenarios tailored to the seasonal issues of the target country and the target's work characteristics." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Backdoor, Cybercrime, cybersecurity, data breach, endpoint security, Kaspersky, Malware, network security, Phishing, Threat Intelligence ⚡ Top Stories This Week Harvester Deploys Linux GoGra Backdoor in South Asia Using Microsoft Graph API Malicious KICS Docker Images and VS Code Extensions Hit Checkmarx Supply Chain Apple Fixes iOS Flaw That Let FBI Recover Deleted Signal Messages Vercel Finds More Compromised Accounts in Context.ai-Linked Breach ThreatsDay Bulletin: $290M DeFi Hack, macOS LotL Abuse, ProxySmart SIM Farms +25 New Stories Bitwarden CLI Compromised in Ongoing Checkmarx Supply Chain Campaign LMDeploy CVE-2026-33626 Flaw Exploited Within 13 Hours of Disclosure FIRESTARTER Backdoor Hit Federal Cisco Firepower Device, Survives Security Patches Researchers Uncover Pre-Stuxnet ‘fast16’ Malware Targeting Engineering Software ⚡ Weekly Recap: Fast16 Malware, XChat Launch, Federal Backdoor, AI Employee Tracking and More Checkmarx Confirms GitHub Repository Data Posted on Dark Web After March 23 Attack Microsoft Confirms Active Exploitation of Windows Shell CVE-2026-32202 Chinese Silk Typhoon Hacker Extradited to U.S. Over COVID Research Cyberattacks Microsoft Patches Entra ID Role Flaw That Enabled Service Principal Takeover Researchers Discover Critical GitHub CVE-2026-3854 RCE Flaw Exploitable via Single Git Push Critical cPanel Authentication Vulnerability Identified — Update Your Server Immediately ⭐ Featured Resources [Webinar] Stop Chasing Alerts and Start Focusing on Real Exposures [Guide] How to Enable Secure Data Movement Without Added Risk Learn How Hidden Identity Blind Spots Weaken Your Security Systems [Guide] Learn a Practical Framework to Evaluate AI Tools for Production

Indicators of Compromise

• domain — abc.haijing88.com
• malware — ABCDoor
• malware — ValleyRAT
• malware — RustSL
• malware — Phantom Persistence

Entities