04.05.2026
2 min
175
Hacker group Silver Fox has launched a campaign to distribute the ABCdoor malware, disguising attacks as tax notices in India and Russia. Phishing emails look like official documents, forcing users to run infected files themselves.
The new attack wave conducted by the Chinese cybercrime group Silver Fox targeted organizations in Russia and India. The attackers distributed their malware using a newly developed backdoor, named ABCDoor. Phishing emails, masquerading as official tax notices, are being used to deliver ABCDoor.
The attackers initiated their operation in December 2025. The first phase of the attacks was when they sent emails claiming to be from the Indian Tax Department. Following this initial phase, a very similar approach was taken toward Russian Organizations. In both phases of the attacks, the attackers sent the victims emails stating that there would be a tax audit (or they could download an archive listing “violations”).
Inside these archives were a modified Rust-based loader copied from a public repository. “This loader downloaded and launched the well-known ValleyRAT backdoor,” Kaspersky stated.
According to researchers, the campaign impacted companies in multiple sectors, including, but not limited to; industry, consulting, retail and transportation. Over 1600 phishing emails were reported between January 2026 and February 2026.
Attackers begin the attack chain with a PDF that has a link directing the victim to download a ZIP/RAR archive from the abc.haijing88[.]com domain. In certain instances, specifically within the December wave of attacks, the malicious code was incorporated directly into the email attachments.
Inside each archive is a Windows Executable File (EXE) pretending to be a PDF. This is an altered form of the open-source RustSL Tool that is designed to evade detection through Antivirus software. After extracting the encrypted malicious payload, it searches for Virtual Machines/Sandboxes in the environment.
An interesting aspect of this modified version of RustSL includes extended Geo-Zone capabilities. While the original version only detected China, this adaptation included India, Indonesia, South Africa, Russia and Cambodia.
Following the execution of RustSL, ValleyRAT, or Winos 4.0 is launched. Its primary function is to communicate with the Management Server, execute commands, and download additional modules. One such module is ABCDoor. ABCDoor functions as a Backdoor that communicates with external servers via HTTPS.
Using ABCDoor, attackers can:
Capture Screenshots
Control Mouse and Keyboard Actions
Manipulate Files
Start/Terminate Processes
Extract Data from Clipboard
Additionally, one variant of the Loader utilizes Phantom Persistence Technology allowing it to establish a foothold in the system by modifying the shutdown process of computers and compelling them to execute malicious code upon reboot. According to Kaspersky, this technique mimics updates to appear legitimate.
Before launching this new campaign, Silver Fox utilized a JavaScript Loader to disseminate ABCDoor utilizing Self-Extracting Archives in November 2025. In addition to expanding their geographic reach to include Japan in recent months, Silver Fox has expanded its scope of operations beyond economic theft to include espionage activities. Since 2024, S2W reports that Silver Fox has operated along two different vectors; mass phishing campaigns for financial gain and simultaneous espionage efforts. Prior to expanding its operations to include espionage, the majority of Silver Fox’s attacks targeted China however after a short period of time the group began targeting Taiwan, Japan and other nations.
Researchers report that Silver Fox continues to rely heavily on phishing methods as the foundation of their success. By incorporating localized features and seasonally relevant themes into their phishing tactics, they maximize their chance of successfully infecting potential victims.
