Silver Fox APT Exploits Fake Tax Notices to Deploy ValleyRAT and ABCDoor Backdoor
A sophisticated cyber espionage campaign orchestrated by the Chinese-linked Advanced Persistent Threat (APT) group known as Silver Fox has been targeting organizations across multiple countries. By masquerading as official tax authority communications, the group has successfully infiltrated various sectors, deploying both the established ValleyRAT backdoor and a newly identified Python-based implant named ABCDoor.
Campaign Overview
The campaign was first detected in December 2025, with phishing emails impersonating the Indian tax service. In January 2026, a similar operation targeted Russian organizations. These emails, formatted as tax audit notices or warnings about alleged tax violations, prompted recipients to download an archive file purportedly containing a list of tax violations. The attacks spanned industries such as industrial, consulting, retail, and transportation, with over 1,600 malicious emails recorded between early January and early February 2026.
Social Engineering Tactics
Silver Fox’s strategy leverages the urgency and authority associated with tax-related communications. By crafting emails that appear to be from legitimate government entities, the group exploits the natural inclination of employees to respond promptly to such notices. The phishing emails included PDF attachments containing download links, a tactic designed to bypass email security gateways that typically scan for direct malware attachments.
Infection Chain Analysis
Upon clicking the download link in the phishing PDF, victims retrieve a compressed archive containing a modified Rust-based loader known as RustSL. Silver Fox adapted this loader from a public GitHub repository, introducing modules like steganography.rs for payload unpacking and guard.rs for environment checks and geofencing. The loader is disguised with a PDF or Excel file icon to avoid raising suspicion. When executed, RustSL loads an encrypted payload into memory, initiating the deployment of ValleyRAT and ABCDoor.
ValleyRAT and ABCDoor Deployment
ValleyRAT, a modular backdoor, provides attackers with extensive control over compromised systems, enabling data exfiltration, command execution, and further malware deployment. ABCDoor, the newly discovered Python-based implant, enhances Silver Fox’s capabilities by establishing persistent access and facilitating additional malicious activities. The consistent use of abc in the third-level domain pattern of its command-and-control (C2) addresses led researchers to name it ABCDoor.
Geographical Targeting and Geofencing
Silver Fox employs geofencing techniques to ensure the malware operates only on devices within specific countries, including India, Russia, Indonesia, South Africa, Cambodia, and Japan. This targeted approach minimizes the risk of detection and analysis by security researchers outside the intended regions.
Recommendations for Organizations
To mitigate the risk posed by such sophisticated phishing campaigns, organizations should implement the following measures:
1. Employee Training: Conduct regular cybersecurity awareness programs to educate employees about recognizing phishing attempts, especially those impersonating authoritative entities like tax authorities.
2. Email Filtering: Deploy advanced email filtering solutions capable of detecting and blocking phishing emails with embedded malicious links or attachments.
3. Endpoint Protection: Utilize robust endpoint detection and response (EDR) systems to identify and neutralize malicious activities on user devices.
4. Regular Updates: Ensure all systems and software are up-to-date with the latest security patches to prevent exploitation of known vulnerabilities.
5. Incident Response Plan: Develop and regularly update an incident response plan to swiftly address and mitigate the impact of security breaches.
Conclusion
The Silver Fox APT group’s use of fake tax notices to deploy ValleyRAT and ABCDoor underscores the evolving nature of cyber threats and the importance of vigilance. By understanding the tactics employed by such threat actors and implementing comprehensive security measures, organizations can better protect themselves against sophisticated phishing campaigns and malware deployments.
