Silver Fox uses the new ABCDoor backdoor to target organizations in Russia and India

Summary

The Silver Fox threat group launched phishing campaigns in December 2025 targeting Indian organizations and January 2026 targeting Russian organizations by impersonating tax authorities. The campaigns distributed a modified Rust-based loader (RustSL) that executes ValleyRAT backdoor and a newly discovered Python backdoor named ABCDoor. Over 1,600 malicious emails were recorded across industrial, consulting, retail, and transportation sectors; ABCDoor has been in the group's arsenal since late 2024.

Full text

Table of Contents Email campaignRustSL loaderSilver Fox RustSLThe steganography.rs moduleEncrypted malicious payload formatThe guard.rs modulePhantom PersistenceAttack chain and payloadsCustom ValleyRAT modulesABCDoor Python backdoorABCDoor versionsEvolution of ABCDoor distribution methodsVictimsConclusionDetection by Kaspersky solutionsIndicators of compromise Authors Anton Kargin Vladimir Gursky Victoria Vlasova Anna Lazaricheva In December 2025, we detected a wave of malicious emails designed to look like official correspondence from the Indian tax service. A few weeks later, in January 2026, a similar campaign began targeting Russian organizations. We have attributed this activity to the Silver Fox threat group. Both waves followed a nearly identical structure: phishing emails were styled as official notices regarding tax audits or prompted users to download an archive containing a “list of tax violations”. Inside the archive was a modified Rust-based loader pulled from a public repository. This loader would download and execute the well-known ValleyRAT backdoor. The campaign impacted organizations across the industrial, consulting, retail, and transportation sectors, with over 1600 malicious emails recorded between early January and early February. During our investigation, we also discovered that the attackers were delivering a new ValleyRAT plugin to victim devices, which functioned as a loader for a previously undocumented Python-based backdoor. We have named this backdoor ABCDoor. Retrospective analysis reveals that ABCDoor has been part of the Silver Fox arsenal since at least late 2024 and has been utilized in real-world attacks from the first quarter of 2025 to the present day. Email campaign In the January campaign, victims received an email purportedly from the tax service with an attached PDF file. Phishing email sent to victims in Russia The PDF contained two clickable links to download an archive, both leading to a malicious website: abc.haijing88[.]com/uploads/фнс/фнс.zip. Contents of the PDF file from the January phishing wave Contents of the фнс.zip archive In the December campaign, the malicious code was embedded directly within the files attached to the email. Phishing email sent to victims in India The email shown in the screenshot above was sent via the SendGrid cloud platform and contained an archive named ITD.-.rar. Inside was a single executable file, Click File.exe, with an Adobe PDF icon (the RustSL loader). Contents of ITD.-.rar Additionally, in late December, emails were distributed with an attachment titled GST.pdf containing two links leading to hxxps://abc.haijing88[.]com/uploads/印度邮箱/CBDT.rar. (印度邮箱 translates from Chinese as “Indian mailbox”). PDF file from the phishing email Both versions of the campaign attempt to exploit the perceived importance of tax authority correspondence to convince the victim to download the document and initiate the attack chain. The method of using download links within a PDF is specifically designed to bypass email security gateways; since the attached document only contains a link that requires further analysis, it has a higher probability of reaching the recipient compared to an attachment containing malicious code. RustSL loader The attackers utilized a modified version of a Rust-based loader called RustSL, whose source code is publicly available on GitHub with a description in Chinese: Screenshot of the description from the RustSL loader GitHub project The description also refers to RustSL as an antivirus bypass framework, as it features a builder with extensive customization options: Eight payload encryption methods Thirteen memory allocation methods Twelve sandbox and virtual machine detection techniques Thirteen payload execution methods Five payload encoding methods Furthermore, the original version of RustSL encrypts all strings by default and inserts junk instructions to complicate analysis. The Silver Fox APT group first began using a modified version of RustSL in late December 2025. Silver Fox RustSL This section examines the key changes the Silver Fox group introduced to RustSL. We will refer to this customized version as Silver Fox RustSL to distinguish it from the original. The steganography.rs module The attackers added a module named steganography.rs to RustSL. Despite the name, it has little to do with actual steganography; instead, it implements the unpacking logic for the malicious payload. The usage of the new module within the Silver Fox RustSL code The threat actors also modified the RustSL builder to support the new format and payload packing. The attackers employed several methods to deliver the encrypted malicious payload. In December, we observed files being downloaded from remote hosts followed by delivery within the loader itself. Later, the attackers shifted almost entirely to placing the malicious payload inside the same archive as the loader, disguised as a standalone file with extensions like PNG, HTM, MD, LOG, XLSX, ICO, CFG, MAP, XML, or OLD. Encrypted malicious payload format The encrypted payload file delivered by the Silver Fox RustSL loader followed this structure: <RSL_START>rsl_encrypted_payload<RSL_END> 1 <RSL_START>rsl_encrypted_payload<RSL_END> If additional payload encoding was selected in the builder, the loader would decode the data before proceeding with decryption. The rsl_encrypted_payload followed this specific format: char sha256_hash[32]; // decrypted payload hash DWORD enc_payload_len; WORD sgn_decoder_size; char sgn_iterations; char sgn_key; char decoder[sgn_decoder_size]; char enc_payload[enc_payload_len]; 1234567 char sha256_hash[32]; // decrypted payload hashDWORD enc_payload_len;WORD sgn_decoder_size;char sgn_iterations;char sgn_key;char decoder[sgn_decoder_size];char enc_payload[enc_payload_len]; Below is a description of the data blocks contained within it: sha256_hash: the hash of the decrypted payload. After decryption, the loader calculates the SHA256 hash and compares it against this value; if they do not match, the process terminates. enc_payload_len: the size of the encrypted payload sgn_iterations and sgn_key: parameters used for decryption sgn_decoder_size and decoder: unused fields enc_payload: the primary payload Notably, the new proprietary steganography.rs module was implemented using the same logic as the public RustSL modules (such as ipv4.rs, ipv6.rs, mac.rs, rc4.rs, and uuid.rs in the decrypt directory). It utilized a similar payload structure where the first 32 bytes consist of a SHA-256 hash and the payload size. To decrypt the malicious payload, steganography.rs employed a custom XOR-based algorithm. Below is an equivalent implementation in Python: def decrypt(data: bytes, sgn_key: int, sgn_iterations: int) -> bytes: buf = bytearray(data) xor_key = sgn_key & 0xFF for _ in range(sgn_iterations): k = xor_key for i in range(len(buf)): dec = buf[i] ^ k if k & 1: k = (dec ^ ((k >> 1) ^ 0xB8)) & 0xFF else: k = (dec ^ (k >> 1)) & 0xFF buf[i] = dec return bytes(buf) 1234567891011121314151617 def decrypt(data: bytes, sgn_key: int, sgn_iterations: int) -> bytes: buf = bytearray(data) xor_key = sgn_key & 0xFF for _ in range(sgn_iterations): k = xor_key for i in range(len(buf)): dec = buf[i] ^ k if k & 1: k = (dec ^ ((k >> 1) ^ 0xB8)) & 0xFF else: k = (dec ^ (k >> 1)) & 0xFF buf[i] = dec return bytes(buf) The unpacking process consists of the following stages: Extraction of rsl_encrypted_payload.The loader extracts the encrypted payload body located between the <RSL_START> and <RSL_END> markers. Original file containing the encrypted malicious payload XOR decryption with a hardcoded key.Most loaders used the hardcoded key RSL_STEG_2025_KEY. Payload decoding occurs if the corresponding setting was enabled in the builder.The GitHub version of the builder offers several encoding options: Base64, Base32, Hex, and urlsafe_base64. Silver Fox utilized each option at least once. Base64 was the most frequent choice, followed

Indicators of Compromise

• domain — abc.haijing88.com
• malware — ABCDoor
• malware — ValleyRAT
• malware — RustSL

Entities