Unmasking Silver Fox: New ABCDoor Backdoor Targets Tax Authorities in Russia and India

By • min read

<p>In a sophisticated cyberespionage campaign, the threat group known as Silver Fox has been targeting organizations in Russia and India using a novel backdoor called <strong>ABCDoor</strong>. Discovered in late 2025, the operation involved phishing emails disguised as official tax service communications. The attackers leveraged a modified Rust-based loader to deploy the well-known <em>ValleyRAT</em> backdoor, and later introduced a new Python-based plugin that functions as a loader for ABCDoor. This campaign impacted over 1600 malicious emails between early January and early February 2026, hitting sectors like industrial, consulting, retail, and transportation. Below, we answer key questions about this emerging threat.</p><h2 id="who-is-silver-fox">Who is Silver Fox and what is their latest campaign?</h2><p><strong>Silver Fox</strong> is a threat group that has been active in spear-phishing and malware delivery operations. In December 2025, security teams detected a wave of malicious emails mimicking official correspondence from the Indian tax service. A few weeks later, in January 2026, a similar campaign began targeting Russian organizations. Both waves followed an identical structure: phishing emails styled as official notices regarding tax audits or prompting downloads of archives containing a "list of tax violations." The group used these lures to distribute a modified Rust-based loader pulled from a public repository, which then downloaded and executed the <strong>ValleyRAT</strong> backdoor. The campaign represents an evolution in Silver Fox's tactics, incorporating a new Python-based backdoor named <strong>ABCDoor</strong> that has been part of their arsenal since at least late 2024.</p><figure style="margin:20px 0"><img src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2026/04/29144353/SL-Silver-Fox-tax-campaign-featured.jpg" alt="Unmasking Silver Fox: New ABCDoor Backdoor Targets Tax Authorities in Russia and India" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: securelist.com</figcaption></figure><h2 id="how-were-the-phishing-emails-structured">How were the phishing emails structured?</h2><p>The campaign had two distinct waves. In the <strong>December 2025</strong> wave targeting India, malicious code was embedded directly within attached files. For example, an email sent via the SendGrid cloud platform contained an archive named <em>ITD.-.rar</em> with a single executable file, <em>Click File.exe</em>, disguised with an Adobe PDF icon (the RustSL loader). Additionally, in late December, emails carried a PDF attachment titled <em>GST.pdf</em> containing two clickable links leading to a malicious website hosting a ZIP archive. The <strong>January 2026</strong> wave targeting Russia used a similar PDF approach: victims received an email purportedly from the tax service with an attached PDF. Inside the PDF were two links to download an archive from <em>abc.haijing88[.]com/uploads/фнс/фнс.zip</em>. Both versions relied on the perceived authority of tax agencies to convince victims to download the document.</p><h2 id="what-is-the-rustsl-loader-and-how-does-it-work">What is the RustSL loader and how does it work?</h2><p>The <strong>RustSL loader</strong> is a modified version of a publicly available Rust-based loader whose source code is hosted on GitHub. Silver Fox adapted it for their campaign. When a victim downloads and executes the loader from the phishing archive (e.g., <em>Click File.exe</em> or the PDF links), the loader runs in memory to download and execute the <strong>ValleyRAT</strong> backdoor from a remote server. The use of Rust makes the loader harder to detect because Rust binaries have different static characteristics than typical C++ malware. Moreover, the loader is disguised with an Adobe PDF icon to appear legitimate. This loader was used in both the India and Russia campaigns, demonstrating Silver Fox's reliance on publicly available tools customized for their purposes.</p><h2 id="what-is-abcdoor-and-how-does-it-fit-into-the-attack-chain">What is ABCDoor and how does it fit into the attack chain?</h2><p><strong>ABCDoor</strong> is a previously undocumented Python-based backdoor discovered during investigation of the Silver Fox campaign. It was delivered as a plugin to victim devices via ValleyRAT. Specifically, the attackers built a new ValleyRAT plugin that functions as a loader for ABCDoor. Retrospective analysis shows ABCDoor has been part of Silver Fox's arsenal since at least late 2024 and has been used in real-world attacks from the first quarter of 2025. The backdoor is Python-based, allowing cross-platform capabilities and easier adaptation. Its discovery highlights Silver Fox's evolving toolset and their ability to add custom modules to established frameworks like ValleyRAT.</p><figure style="margin:20px 0"><img src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2026/04/29144353/SL-Silver-Fox-tax-campaign-featured-800x450.jpg" alt="Unmasking Silver Fox: New ABCDoor Backdoor Targets Tax Authorities in Russia and India" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: securelist.com</figcaption></figure><h2 id="which-sectors-were-targeted-and-what-was-the-scale">Which sectors were targeted and what was the scale?</h2><p>The campaign impacted organizations across <strong>industrial, consulting, retail, and transportation</strong> sectors. Between early January and early February 2026, over <strong>1600 malicious emails</strong> were recorded. The attacks were geographically focused on Russia and India, but the sectors chosen indicate a broad espionage objective rather than targeting a specific industry. The high volume of emails suggests a spray-and-prey approach, but the use of tailored tax lures implies they were aiming for high-value targets within those sectors. The scale demonstrates Silver Fox's operational capacity to launch simultaneous campaigns against multiple countries.</p><h2 id="how-did-the-attackers-evade-email-security-gateways">How did the attackers evade email security gateways?</h2><p>The attackers used a clever method to bypass security gateways: <strong>phishing PDF attachments contained only clickable links</strong> rather than direct malicious code. In the Russian campaign, the PDF included two links to download the malicious archive. In the Indian campaign, some PDFs also used links. Since email security solutions typically analyze attachments for known malware signatures or suspicious payloads, a PDF with just text and links is less likely to be flagged. The actual malicious code is hosted on a remote server and only downloaded when the user clicks the link. This technique increases the probability of the email reaching the recipient's inbox. Additionally, the use of a public cloud email platform (SendGrid) for the Indian wave helped obfuscate the true sender.</p><h2 id="what-is-the-timeline-of-the-silver-fox-campaign">What is the timeline of the Silver Fox campaign?</h2><p>The campaign unfolded in <strong>two main phases</strong>. <strong>December 2025:</strong> Security teams detected the first wave targeting India, with emails carrying malicious archives directly (e.g., <em>ITD.-.rar</em>) and later with PDFs containing links. <strong>Late December 2025:</strong> Emails with <em>GST.pdf</em> were distributed with links to a malicious website. <strong>January 2026:</strong> A similar campaign began targeting Russian organizations, using PDF attachments with links to an archive hosted at <em>abc.haijing88[.]com</em>. Retrospective analysis revealed that ABCDoor had been in use since late 2024, but its connection to these campaigns was only discovered during the investigation of the 2025-2026 waves. The sustained activity highlights Silver Fox's long-term focus on tax-themed phishing.</p>