In late 2025 and early 2026, cybersecurity researchers uncovered a sophisticated phishing campaign orchestrated by the Silver Fox threat group. Targeting organizations in Russia and India, the attackers employed a new Python-based backdoor named ABCDoor, alongside the familiar ValleyRAT malware. This listicle breaks down the six most critical aspects of this operation, from the deceptive email lures to the technical details of the malware chain. Whether you're a cybersecurity professional or just curious about modern cyber threats, these insights reveal how the group operates and what makes this campaign stand out.
1. Overview of the Silver Fox Campaign (December 2025 – January 2026)
In December 2025, we detected a wave of phishing emails meticulously crafted to appear as official correspondence from the Indian tax service. A few weeks later, in January 2026, a similar campaign began targeting Russian organizations, using identical tactics but tailored to local tax authorities. Both waves were attributed to the Silver Fox threat group, a known cyber-espionage actor. The attacks were not isolated incidents; over 1,600 malicious emails were recorded between early January and early February 2026. The campaign impacted diverse sectors, including industrial, consulting, retail, and transportation, demonstrating a broad targeting strategy. The attackers leveraged the perceived urgency of tax-related communications to trick victims into downloading malicious files, setting the stage for a multi-stage infection chain that ultimately delivered ValleyRAT and the then-undiscovered ABCDoor backdoor.
2. Email Lures: India-Focused Tax Scams in December 2025
The Indian-targeted campaign began in December 2025 with emails that appeared to come from the Indian tax authority (Income Tax Department). One notable email, sent via the SendGrid cloud platform, included an archive named ITD.-.rar. Inside this archive, a single executable file named Click File.exe masqueraded as an Adobe PDF document. This file was actually the RustSL loader – a modified Rust-based downloader. In another variant, emails contained a PDF attachment labeled GST.pdf. The PDF included two clickable links leading to a malicious URL: hxxps://abc.haijing88[.]com/uploads/印度邮箱/CBDT.rar (where 印度邮箱 translates from Chinese to “Indian mailbox”). This approach of embedding download links within PDFs was designed to bypass email security gateways, as the attached file appeared harmless at first glance, requiring further analysis to detect the threat.
3. Russia-Focused Tax Scams in January 2026
In January 2026, the Silver Fox group shifted focus to Russia, launching a campaign with equally convincing lures. Victims received an email purportedly from the Russian tax service, featuring an attached PDF file that mimicked official tax audit notices. The PDF contained two clickable links, both leading to a malicious website: abc.haijing88[.]com/uploads/фнс/фнс.zip (фнс is the Russian abbreviation for the Federal Tax Service). Inside the downloaded archive, the same RustSL loader was present, ready to initiate the infection chain. The attackers exploited the universal trust in tax authorities, leveraging the high-stakes context of a tax audit to pressure victims into opening the document. The use of PDF links rather than direct executable attachments further helped evade automated security filters, increasing the likelihood of successful delivery.
4. The RustSL Loader: Doorway to Malware
Both the Indian and Russian campaigns relied on a modified version of a publicly available Rust-based loader known as RustSL. Originally hosted on GitHub as open-source software, the attackers customized this loader to download and execute the well-known ValleyRAT backdoor. The loader itself was a compact executable that, once activated, connected to remote servers to fetch the next-stage payload. Importantly, the RustSL variant used by Silver Fox was not just a simple downloader; it incorporated evasive techniques to avoid detection. For instance, the loader was designed to run only if certain system conditions were met, reducing the chance of sandbox analysis. This stage was critical because it established a foothold on the victim’s machine, enabling the subsequent deployment of ValleyRAT and, in some cases, the previously undocumented ABCDoor backdoor.
5. Discovery of the ABCDoor Backdoor
During our investigation of the Silver Fox campaign, we uncovered a new ValleyRAT plugin being delivered to victim devices. This plugin functioned as a loader for a previously unseen Python-based backdoor, which we named ABCDoor. Retrospective analysis revealed that ABCDoor has been part of the Silver Fox arsenal since at least late 2024, with real-world attacks dating back to the first quarter of 2025 and continuing through the present day (early 2026). The backdoor is written in Python, making it cross-platform and relatively easy to modify. ABCDoor provides attackers with remote access capabilities, including file exfiltration, keylogging, and command execution. Its stealthy design and reliance on legitimate services for command-and-control communications make it particularly challenging to detect. The discovery of ABCDoor highlights the evolving nature of the Silver Fox group’s toolset and their commitment to diversifying malware to avoid signature-based detection.
6. Impact and Conclusion: Lessons from the Campaign
The Silver Fox campaign serves as a stark reminder of the effectiveness of tax-themed phishing lures and the adaptability of modern threat actors. With over 1,600 malicious emails recorded in a single month and targets across industrial, consulting, retail, and transportation sectors, the impact was substantial. The use of PDFs with embedded links bypassed many email security controls, while the dual deployment of ValleyRAT and ABCDoor ensured redundancy and persistence. Organizations must remain vigilant, especially when receiving unsolicited tax-related documents. Implementing advanced email filtering, user awareness training, and endpoint detection systems that can analyze scripts and loaders (like RustSL) are crucial defenses. The Silver Fox group, with its updated arsenal including ABCDoor, demonstrates that cybercriminals are constantly innovating; staying informed and proactive is the best defense against such sophisticated threats.
In conclusion, the Silver Fox campaign targeting Russia and India with the ABCDoor backdoor illustrates a well-planned, multi-stage attack that leveraged social engineering and technical evasion. By understanding each component—from the phishing emails to the final payloads—organizations can better prepare to defend against similar threats in the future.