Silver Fox Deploys ABCDoor Malware via Tax-Themed Phishing in India and Russia

The China-based cybercrime group known as Silver Fox has been linked to a new campaign targeting organizations in Russia and India with a new malware called ABCDoor. This sophisticated operation demonstrates the group's evolving tactics and expanding geographic reach.

Campaign Structure and Targets

The activity involved using phishing emails that mimic correspondence from the Income Tax Department of India in December 2025, followed by a similar campaign aimed at Russian entities in January 2026. "Both waves followed a nearly identical structure: phishing emails were styled as official notices regarding tax audits or prompted users to download an archive containing a 'list of tax violations,'" according to researchers at Kaspersky.

The campaign is estimated to have impacted organizations across the industrial, consulting, retail, and transportation sectors. More than 1,600 phishing emails were flagged between early January and early February, indicating a significant and ongoing operation.

Technical Analysis of the Attack Chain

What's notable about these phishing waves is the delivery of a new ValleyRAT plugin that functions as a loader for a previously undocumented Python-based backdoor codenamed ABCDoor. The backdoor has been part of the threat actor's arsenal since at least December 19, 2024, and was put to use in cyber attacks beginning February or March 2025.

The attack chain begins with a phishing email containing a PDF file, which features two clickable links leading to the download of a ZIP or RAR archive hosted on "abc.haijing88[.]com." In the December 2025 campaign, the malicious code was embedded directly within the files attached to the email.

Inside the archive is an executable that mimics a PDF file. This binary is a modified version of an open-source shellcode loader and antivirus bypass framework called RustSL. Silver Fox's first recorded use of RustSL dates back to late December 2025.

Sophisticated Evasion Techniques

The Silver Fox RustSL variant implements several advanced techniques to evade detection:

1. Geofencing: The loader includes country-based geofencing and environment checks to detect virtual machines and sandboxes. While the original GitHub version only includes China in its country list, the customized version features India, Indonesia, South Africa, Russia, and Cambodia.

2. Phantom Persistence: One variant employs a novel method called Phantom Persistence to establish persistence on the compromised host. This method abuses functionality designed to allow applications requiring a reboot for updates to complete the installation process properly. The attackers intercept the system shutdown signal, halt the normal shutdown sequence, and trigger a reboot under the guise of an update for the malware.

3. Antivirus Bypass: The modified RustSL loader unpacks the encrypted malicious payload while implementing techniques to bypass antivirus detection.

ABCDoor Backdoor Capabilities

The encrypted payload loaded by RustSL results in the download of the encrypted ValleyRAT (aka Winos 4.0) malware, with the core component ("login-module.dll_bin") responsible for command-and-control (C2) communications, command execution, and retrieval and execution of additional modules.

One of the custom modules deployed as part of the attack following a second geofencing check is ABCDoor, which:

• Contacts an external server via HTTPS
• Processes incoming messages to facilitate persistence
• Handles backdoor updates and removal
• Collects data such as screenshots
• Enables remote mouse and keyboard control
• Performs file system operations
• Manages system processes
• Exfiltrates clipboard contents

Evolution of Silver Fox Tactics

"Since 2024, [Silver Fox] has evolved into a dual-track operational model that simultaneously conducts profitable extensive opportunistic activities and espionage activities," according to S2W researchers. "In the early stages, the group targeted China for attacks, but later expanded its operational scope to Taiwan and Japan."

The group has demonstrated adaptability in its delivery methods. As recently as November 2025, Silver Fox was observed using a JavaScript loader to deliver ABCDoor, with the loader distributed via self-extracting (SFX) archives packaged inside ZIP archives likely sent via phishing emails. Newer versions of RustSL have since expanded the geographic focus to include Japan.

Geographic Distribution and Impact

The highest number of attacks has been detected in India, Russia, and Indonesia, followed by South Africa and Japan. The majority of loader samples discovered have employed tax-themed lures to imitate the infection sequence.

"The Silver Fox group primarily utilizes highly customized spear phishing techniques for initial infiltration, deploying sophisticated and diversified attack scenarios tailored to the seasonal issues of the target country and the target's work characteristics," S2W noted.

Recommendations for Organizations

Organizations should implement the following security measures to protect against similar attacks:

1. Email Filtering: Implement advanced email filtering solutions that can detect and block phishing attempts with tax-themed lures.

2. Employee Training: Conduct regular security awareness training to educate employees about recognizing phishing emails, especially those with urgent tax-related claims.

3. Application Control: Implement application control solutions to prevent execution of unauthorized applications, particularly those mimicking legitimate documents.

4. Endpoint Protection: Deploy advanced endpoint protection platforms capable of detecting and blocking Rust-based malware and sophisticated loaders.

5. Network Segmentation: Segment networks to limit the lateral movement of malware in case of compromise.

6. Patch Management: Ensure all systems and applications are up to date with the latest security patches.

7. Behavioral Monitoring: Implement behavioral monitoring solutions that can detect unusual activities such as unexpected reboots or persistence mechanisms.

The Silver Fox campaign demonstrates the increasing sophistication of cybercriminal groups and their ability to adapt their tactics to target specific regions and organizations. By understanding these attack techniques and implementing appropriate defensive measures, organizations can better protect themselves against such threats.