Silver Fox Campaign: New ABCDoor Backdoor in Tax-Themed Phishing Attacks
In late 2025 and early 2026, the Silver Fox threat group launched a series of sophisticated phishing campaigns targeting organizations in India and Russia. These attacks used official-looking tax service emails to deliver a new backdoor malware called ABCDoor, alongside the known ValleyRAT. Below are key questions and detailed answers about the campaign's methods, technical details, and impact.
What is the Silver Fox group and what is the ABCDoor backdoor?
The Silver Fox group is an advanced persistent threat (APT) actor first identified during these campaigns. They are responsible for a wave of phishing emails impersonating tax authorities in India and Russia. ABCDoor is a previously undocumented Python-based backdoor that serves as a ValleyRAT plugin. It was first deployed in real attacks from early 2025 and has been part of Silver Fox's arsenal since at least late 2024. ABCDoor functions as a loader and provides persistent remote access to compromised systems, allowing the attackers to execute commands, steal data, or download additional payloads.
How did the December 2025 campaign target India?
In December 2025, Silver Fox sent phishing emails designed to appear as official communications from the Indian tax service. Recipients received messages with an attached archive named ITD.-.rar. Inside this archive was a single executable file, Click File.exe, disguised with an Adobe PDF icon. This executable was actually a modified RustSL loader. A later wave in late December used a PDF attachment titled GST.pdf containing two links that led to a malicious ZIP archive hosted at abc.haijing88[.]com/uploads/印度邮箱/CBDT.rar (the Chinese text translates to "Indian mailbox"). The campaign abused SendGrid cloud platform to distribute these emails, targeting sectors like industrial, consulting, retail, and transportation.
How did the January 2026 campaign target Russia?
In January 2026, a similar campaign began targeting Russian organizations. Victims received phishing emails styled as official tax audit notifications. Each email included a PDF attachment with two clickable links. Both links directed users to download an archive from a malicious website: abc.haijing88[.]com/uploads/фнс/фнс.zip ("фнс" is the Russian abbreviation for the Federal Tax Service). Inside the archive was the same modified RustSL loader used in the Indian campaign. The emails urged victims to download and open a "list of tax violations," exploiting trust in government correspondence. Over 1,600 malicious emails were recorded between early January and early February 2026, impacting multiple sectors across the country.
What is the RustSL loader and how does it work?
The RustSL loader is a modified Rust-based malware loader whose source code is publicly available on GitHub. Silver Fox adapted this loader for their campaigns, embedding it inside archives attached to phishing emails or hosted on malicious sites. Once executed on a victim's machine, the loader's primary function is to download and execute the next-stage payload—in this case, the ValleyRAT backdoor. The loader also deploys a new ValleyRAT plugin that acts as a launcher for the ABCDoor Python backdoor. RustSL is designed to evade detection by security software due to its lightweight code and ability to fetch payloads from remote servers dynamically.
How do these phishing emails bypass email security gateways?
The attackers employed a clever technique to evade email security filters: instead of attaching malicious code directly, they attached a harmless PDF file containing only links to a malicious archive. In the Russian campaign, the PDF had clickable links; in the Indian campaign, some emails had an archive with the loader, but later emails also used PDF links. Because the attached document itself contains no executable code, only a URL that requires further user interaction, email gateways are less likely to flag it as malicious. This technique effectively bypasses automated sandboxing and signature-based detection, increasing the likelihood that the email reaches the recipient's inbox. Once a user clicks the link and downloads the archive, they are tricked into running the executable.
What sectors were impacted and how many emails were sent?
Both the Indian and Russian campaigns targeted organizations across a wide range of sectors, including industrial, consulting, retail, and transportation. The attackers focused on large corporations and government-adjacent entities, likely seeking valuable data or financial gain. Between early January and early February 2026, researchers recorded over 1,600 malicious emails associated with these campaigns. The December 2025 Indian campaign added to this total, though exact numbers for that wave were not disclosed. The scale indicates a broad, automated distribution model likely using compromised email accounts or cloud services like SendGrid.
What is ValleyRAT and how does ABCDoor relate to it?
ValleyRAT is a well-known backdoor malware often used by threat groups for remote access and data theft. In the Silver Fox campaigns, the RustSL loader first drops ValleyRAT onto the victim's machine. However, during their investigation, researchers discovered a new ValleyRAT plugin being delivered alongside the main backdoor. This plugin functions as a loader specifically for ABCDoor, a Python-based backdoor previously undocumented. ABCDoor runs independently from ValleyRAT, providing an additional persistent access tool for the attackers. It can execute commands, upload/download files, and potentially pivot within the network. The use of a custom plugin shows Silver Fox's sophistication and desire for redundancy in their attack chain.
When was ABCDoor first used and how long has it been active?
Retrospective analysis by security researchers revealed that ABCDoor has been part of the Silver Fox arsenal since at least late 2024. Real-world attacks using this backdoor began in the first quarter of 2025 and continued through to the present day (early 2026). The backdoor was deployed via the ValleyRAT plugin in these tax-themed campaigns, but it may have been used in other undisclosed operations. Its Python-based nature makes it cross-platform, though the observed attacks targeted Windows systems. The longevity of its use indicates that Silver Fox considers ABCDoor a reliable tool for maintaining access and exfiltrating data from compromised organizations.