Silver Fox Group Deploys Novel ABCDoor Backdoor in Tax-Themed Phishing Campaigns Targeting India and Russia

By ✦ min read

<h2>Introduction</h2><p>In late 2025 and early 2026, a sophisticated threat actor known as <strong>Silver Fox</strong> orchestrated a series of targeted phishing campaigns aimed at organizations in <strong>Russia</strong> and <strong>India</strong>. The attacks leveraged tax‑related lures to deliver a new, previously undocumented Python‑based backdoor named <strong>ABCDoor</strong>. Security researchers uncovered that ABCDoor has been part of Silver Fox’s arsenal since at least late 2024 and has been actively used in real‑world attacks from the first quarter of 2025 onward. This article delves into the campaign’s techniques, the modified loaders used, and the implications for affected sectors.</p><figure style="margin:20px 0"><img src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2026/04/29144353/SL-Silver-Fox-tax-campaign-featured.jpg" alt="Silver Fox Group Deploys Novel ABCDoor Backdoor in Tax-Themed Phishing Campaigns Targeting India and Russia" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: securelist.com</figcaption></figure><h2>The Phishing Campaigns</h2><p>Both waves followed nearly identical structures, impersonating official tax authorities to trick victims into executing malware. The attackers employed two main delivery methods: malicious PDF attachments containing download links, and direct embedded executables in email attachments.</p><h3>Russia‑Focused Campaign (January 2026)</h3><p>In January 2026, victims in Russia received emails that appeared to come from the tax service. The messages urged recipients to review a “list of tax violations” and included a PDF attachment. The PDF contained two clickable links, both pointing to a malicious website: <code>abc.haijing88[.]com/uploads/фнс/фнс.zip</code>. This archive held a modified Rust‑based loader (<a href="#rustsl-loader">RustSL</a>) that subsequently downloaded and executed the well‑known <strong>ValleyRAT</strong> backdoor.</p><p>The email’s design imitated official correspondence, with formal language and logos to lower suspicion. By using download links inside the PDF, the attackers aimed to bypass email security gateways that often block direct executable attachments.</p><h3>India‑Focused Campaign (December 2025 / January 2026)</h3><p>In December 2025, a similar campaign targeted Indian organizations. One wave sent emails via the <strong>SendGrid</strong> cloud platform. The email contained an archive named <code>ITD.-.rar</code>, which included a single executable file, <code>Click File.exe</code>, disguised with an Adobe PDF icon – in reality the malicious RustSL loader.</p><p>Another variant, distributed in late December, had a PDF attachment named <code>GST.pdf</code>. This PDF contained two links redirecting to <code>hxxps://abc.haijing88[.]com/uploads/印度邮箱/CBDT.rar</code>. (Here, “印度邮箱” translates from Chinese as “Indian mailbox”.) The attackers again exploited the perceived urgency of tax audits to convince victims to download the archive.</p><p><strong>Sectors affected</strong> include industrial, consulting, retail, and transportation. Between early January and early February 2026, researchers recorded over 1,600 malicious emails associated with this campaign.</p><hr><h2 id="rustsl-loader">Technical Analysis of the Loaders</h2><h3>The RustSL Loader</h3><p>The attackers used a <strong>modified version</strong> of RustSL, an open‑source Rust‑based loader whose code is publicly available on GitHub. The modifications likely aimed to evade signature‑based detection and to establish a more resilient communication channel with the command‑and‑control (C2) server. Once executed on the victim’s machine, the loader fetched the next stage payload – typically ValleyRAT – from a remote server.</p><figure style="margin:20px 0"><img src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2026/04/29144353/SL-Silver-Fox-tax-campaign-featured-800x450.jpg" alt="Silver Fox Group Deploys Novel ABCDoor Backdoor in Tax-Themed Phishing Campaigns Targeting India and Russia" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: securelist.com</figcaption></figure><p>ValleyRAT is a known backdoor that provides attackers with remote access, keylogging, and data exfiltration capabilities. However, in this campaign, researchers discovered that the attackers also delivered a <strong>new ValleyRAT plugin</strong> that acted as a loader for an entirely different backdoor.</p><h3 id="abcdoor">Introducing ABCDoor: A Novel Python‑Based Backdoor</h3><p>The new plugin downloads and executes a previously undocumented <strong>Python‑based backdoor</strong> that the security community has named <strong>ABCDoor</strong>. Retrospective analysis indicates that ABCDoor has been part of the Silver Fox toolkit since at least late 2024 and has been deployed in real‑world attacks from the first quarter of 2025 through the present.</p><p>ABCDoor is designed to be stealthy and flexible. Written in Python, it likely leverages common scripting capabilities to perform reconnaissance, lateral movement, and data theft while remaining under the radar of traditional antivirus tools. The use of a Python backdoor also enables the attackers to quickly modify its behavior by swapping scripts, making detection more challenging.</p><h2>Conclusion and Recommendations</h2><p>The Silver Fox group continues to evolve its tactics, combining well‑known commodity malware like ValleyRAT with custom‑developed tools such as ABCDoor. Their use of tax‑themed lures demonstrates a keen understanding of human psychology – exploiting the authority and urgency of government communications.</p><p>Organizations, especially in <strong>industrial, consulting, retail, and transportation sectors</strong>, should remain vigilant. Key defensive measures include:</p><ul><li>Implementing advanced email filtering that can detect malicious URLs within PDF attachments.</li><li>Training employees to recognize phishing attempts, particularly those mimicking tax authorities.</li><li>Monitoring for unusual execution of Python scripts or unexpected Rust‑based binaries.</li><li>Maintaining updated endpoint detection and response (EDR) systems that can identify loader behavior and backdoor communications.</li></ul><p>As the threat landscape evolves, so must our defenses. The emergence of ABCDoor underscores the need for continuous threat intelligence and proactive security measures to stay ahead of actors like Silver Fox.</p>