The cybercrime group known as Silver Fox, based in China, has launched a malicious campaign targeting organizations within India and Russia. This campaign involves the deployment of a new malware, ABCDoor, through tax-themed phishing emails. The emails, designed to appear as legitimate communications from the Income Tax Department of India, were first identified in December 2025, with similar attacks targeting Russian entities soon after.
Phishing Tactics and Malware Delivery
The campaign utilized phishing emails that mimic official tax notices, urging recipients to download an archive purported to contain a list of tax violations. According to cybersecurity firm Kaspersky, these archives concealed a modified Rust-based loader sourced from a public repository. This loader was programmed to download and execute the well-established ValleyRAT backdoor, impacting sectors such as industrial, consulting, retail, and transportation. Over 1,600 phishing emails were detected between early January and February.
Kaspersky highlighted the introduction of a new ValleyRAT plugin that acts as a loader for the previously undocumented Python-based backdoor named ABCDoor. This backdoor has reportedly been part of Silver Fox’s toolkit since December 2024, actively used in attacks from February or March 2025 onwards.
Technical Aspects of the Attack
The attack typically begins with a phishing email containing a PDF file. This file includes links leading to a ZIP or RAR archive hosted on “abc.haijing88[.]com.” In December 2025, the malicious code was embedded directly within the email attachments. The archive contained an executable disguised as a PDF file, employing a modified open-source shellcode loader and antivirus bypass framework known as RustSL.
The primary objective of the RustSL variant used by Silver Fox is to decrypt and deploy the malicious payload. It also conducts geofencing and environment checks to identify if operations are occurring within virtual machines or sandboxes. Unlike the GitHub variant, which lists only China, Silver Fox’s version includes India, Indonesia, South Africa, Russia, and Cambodia.
Persistence and Wider Impacts
A notable feature of the attack is the use of Phantom Persistence, a technique that allows the malware to survive system reboots. Documented first in June 2025, this method halts the normal shutdown process to reboot the system, masquerading as an update to execute the malware upon startup. The encrypted payload results in the download of ValleyRAT malware, which manages command-and-control communications and executes additional modules.
Silver Fox’s operations have evolved, now employing a dual-track model that targets both opportunistic and espionage activities. Initially focusing on China, the group has expanded to include Taiwan and Japan. Despite the sophistication of their phishing tactics, the highest number of attacks has been observed in India, Russia, and Indonesia.
In conclusion, the Silver Fox group continues to adapt its strategies, leveraging tax-themed lures and sophisticated phishing methods to infiltrate targeted organizations. Their evolving tactics underscore the importance of robust cybersecurity measures to protect against such advanced threats.
