Silver Fox Cyber Group Targets India and Russia with ABCDoor Malware via Tax-Themed Phishing
The China-based cybercrime group known as Silver Fox has launched a sophisticated phishing campaign targeting organizations in India and Russia, deploying a new malware called ABCDoor. This operation, which began in December 2025, utilized deceptive emails masquerading as official communications from the Income Tax Department of India, followed by similar attacks on Russian entities.
Phishing Tactics and Initial Infection
The campaign’s modus operandi involved sending phishing emails designed to appear as official tax audit notices. These emails prompted recipients to download an archive purportedly containing a list of tax violations. Within the archive was a modified Rust-based loader, derived from a public repository, which subsequently downloaded and executed the ValleyRAT backdoor. This approach led to the distribution of over 1,600 phishing emails between early January and early February, impacting sectors such as industrial, consulting, retail, and transportation.
Introduction of ABCDoor Malware
A notable aspect of these phishing waves was the deployment of a new ValleyRAT plugin that acted as a loader for ABCDoor, a previously undocumented Python-based backdoor. According to cybersecurity firm Kaspersky, ABCDoor has been part of Silver Fox’s arsenal since at least December 19, 2024, and was actively used in cyber attacks beginning February or March 2025.
Attack Chain Details
The attack chain initiated with a phishing email containing a PDF file featuring clickable links leading to the download of a ZIP or RAR archive hosted on abc.haijing88[.]com. In the December 2025 campaign, the malicious code was embedded directly within the email attachments. The archive contained an executable disguised as a PDF file, which was a modified version of an open-source shellcode loader and antivirus bypass framework called RustSL. Silver Fox’s first recorded use of RustSL dates back to late December 2025.
Advanced Evasion Techniques
The customized RustSL variant employed by Silver Fox was designed to unpack encrypted malicious payloads while implementing country-based geofencing and environment checks to detect virtual machines and sandboxes. Unlike the original GitHub variant, which included only China in its country list, the bespoke version expanded to include India, Indonesia, South Africa, Russia, and Cambodia.
One variant of the loader utilized a novel method called Phantom Persistence to establish persistence on the compromised host. This technique abuses functionality intended for applications requiring a reboot for updates, intercepting the system shutdown signal, halting the normal shutdown sequence, and triggering a reboot under the guise of an update for the malware. Consequently, the loader forces the system to execute it upon OS startup.
Deployment of ValleyRAT and ABCDoor
The encrypted payload loaded by RustSL resulted in the download of the encrypted ValleyRAT (also known as Winos 4.0) malware. The core component, login-module.dll_bin, was responsible for command-and-control communications, command execution, and retrieval and execution of additional modules.
Following a second geofencing check, one of the custom modules deployed was ABCDoor. This backdoor contacted an external server via HTTPS and processed incoming messages to facilitate persistence, handle backdoor updates and removal, collect data such as screenshots, enable remote mouse and keyboard control, perform file system operations, manage system processes, and exfiltrate clipboard contents.
Evolution of Silver Fox’s Tactics
As recently as November 2025, Silver Fox was observed using a JavaScript loader to deliver ABCDoor. The loader was distributed via self-extracting (SFX) archives packaged inside ZIP archives, likely sent through phishing emails. Newer versions of RustSL have since expanded the geographic focus to include Japan.
The highest number of attacks has been detected in India, Russia, and Indonesia, followed by South Africa and Japan. The majority of loader samples discovered have employed tax-themed lures to imitate the infection sequence.
Dual-Track Operational Model
Since 2024, Silver Fox has evolved into a dual-track operational model that simultaneously conducts extensive opportunistic activities and espionage operations. In the early stages, the group targeted China for attacks but later expanded its operational scope to Taiwan and Japan.
The Silver Fox group primarily utilizes highly customized spear-phishing techniques for initial infiltration, deploying sophisticated and diversified attack scenarios tailored to the seasonal issues of the target country and the target’s work characteristics.
Conclusion
The Silver Fox cybercrime group’s recent activities underscore the evolving nature of cyber threats and the importance of vigilance against sophisticated phishing campaigns. Organizations, especially those in targeted sectors and regions, should enhance their cybersecurity measures, conduct regular employee training on recognizing phishing attempts, and implement robust email filtering systems to mitigate the risk of such attacks.
