A cyber threat group identified as Silver Fox has been conducting an intricate phishing operation targeting employees from various organizations across different nations. The group employs emails masquerading as official tax notices, leading unsuspecting victims to download malicious software.
Phishing Campaign Details
Initially detected in December 2025, Silver Fox’s campaign involved emails posing as communications from tax authorities, tricking recipients into downloading malware. These emails, which were designed to resemble official tax audit alerts, included links to download a file purportedly listing tax discrepancies.
In January 2026, a similar attack targeted Russian entities. The phishing attempts have impacted industries such as industrial, consulting, retail, and transportation, with Securelist documenting over 1,600 malicious emails in a month-long period.
Introduction of New Malware
Investigations by Securelist attributed the attacks to Silver Fox, revealing that besides the known ValleyRAT backdoor, the attackers deployed a new Python-based malware named ABCDoor. ABCDoor is delivered via a plugin linked to ValleyRAT, and its C2 addresses typically feature an ‘abc’ subdomain, giving the backdoor its name.
Retrospective analysis showed ABCDoor’s use by Silver Fox since late 2024, with active attacks starting in early 2025. The group’s strategic use of social engineering is noteworthy, as the urgency of tax notices compels employees to act without due diligence.
Infection Methodology and Mitigation
The infection begins when a recipient clicks a link in the phishing email, downloading an archive with a modified Rust-based loader, known as RustSL. Silver Fox adapted RustSL for specific environments, using modules like steganography.rs for payload unpacking and guard.rs for geofencing.
RustSL appears as a harmless PDF or Excel file, but once executed, it loads encrypted shellcode, downloads the ValleyRAT module, and ultimately deploys the ABCDoor backdoor. ABCDoor uses Cython to obscure its code and operates through a legitimate Python process, making detection challenging.
To combat such threats, organizations are urged to educate staff on verifying tax-related emails and to enhance email security protocols. Monitoring unusual system activity, such as suspicious registry changes or unexpected tasks, can help identify potential infections early.
Proactive defense measures, including flagging PDF files with download links and scrutinizing dubious processes, are crucial to safeguarding against Silver Fox’s sophisticated attacks.
