Silver Fox Deploys ABCDoor Backdoor via Tax-Themed Phishing in India and Russia

TL;DR — The China-based cybercrime group Silver Fox has launched phishing campaigns in India (December 2025) and Russia (January 2026) distributing a previously undocumented Python-based backdoor called ABCDoor. More than 1,600 phishing emails were flagged between early January and February 2026, with emails impersonating tax authority notices. The malware chain involves a modified Rust-based loader (RustSL) that downloads ValleyRAT, which in turn deploys ABCDoor for full remote access and data exfiltration.

What happened

Silver Fox conducted two waves of phishing campaigns targeting organizations in Russia and India. The first wave occurred in December 2025, using emails styled as notices from India's Income Tax Department. A second campaign targeting Russian entities followed in January 2026. Both campaigns employed nearly identical tactics: phishing emails referencing tax audits or prompting recipients to download an archive containing a "list of tax violations."

The malicious archives were hosted on abc.haijing88[.]com and contained an executable masquerading as a PDF file. Inside was a modified version of RustSL, an open-source shellcode loader and antivirus bypass framework. Silver Fox's first recorded use of RustSL dates to late December 2025.

According to Kaspersky, the attack chain proceeds as follows: the RustSL loader unpacks an encrypted payload while performing country-based geofencing and virtual machine detection. The bespoke RustSL variant includes geofencing for India, Indonesia, South Africa, Russia, and Cambodia, with newer versions expanding to include Japan. The loader then downloads ValleyRAT (also known as Winos 4.0), which establishes command-and-control communications and retrieves additional modules.

One such module is ABCDoor, a Python-based backdoor that has been part of Silver Fox's arsenal since at least December 19, 2024, though it saw operational use beginning February or March 2025. ABCDoor contacts external servers via HTTPS to receive commands and facilitate persistence, handle updates and removal, collect screenshots, enable remote mouse and keyboard control, perform file system operations, manage processes, and exfiltrate clipboard contents.

A notable persistence mechanism observed in some samples is Phantom Persistence, first documented in June 2025. This method abuses OS update-reboot functionality by intercepting the system shutdown signal, halting the normal shutdown sequence, and triggering a reboot under the guise of a malware update, forcing execution on OS startup.

As of November 2025, Silver Fox has also been observed using JavaScript loaders to deliver ABCDoor, distributed via self-extracting archives nested inside ZIP archives and sent as phishing attachments.

The campaign impacted organizations in the industrial, consulting, retail, and transportation sectors. More than 1,600 phishing emails were flagged between early January and early February 2026. The highest concentration of attacks was detected in India, Russia, and Indonesia, followed by South Africa and Japan.

Why it matters

For SOC analysts and defenders across the MENA region and beyond, this campaign signals the evolution of a threat actor that now operates on a dual-track model combining opportunistic cybercrime with espionage objectives. Since 2024, Silver Fox has shifted from targeting primarily China to expanding operations into Taiwan, Japan, and now Russia and India, suggesting a broadening geographic and operational scope.

The use of tax-themed lures tailored to seasonal and regional compliance concerns indicates adversaries are conducting detailed reconnaissance of their targets' operational context. This is not generic phishing; the lures are crafted around legitimate institutional processes that resonate with the target audience.

The integration of multiple custom tools—RustSL, ABCDoor, and ValleyRAT—combined with novel persistence techniques like Phantom Persistence, demonstrates a mature technical capability. Developers and systems administrators should understand that this is not a simple malware family but a modular attack framework designed for adaptability and evasion.

The geofencing logic embedded in RustSL also carries implications: the attackers are deliberately constraining execution to specific geographic regions, reducing defensive noise and improving targeting precision. This suggests the campaign is not indiscriminate but targeted at specific organizational assets or sectors within those regions.

Affected systems and CVEs

ABCDoor — Python-based backdoor
ValleyRAT (Winos 4.0) — Remote access trojan
RustSL — Modified shellcode loader and antivirus bypass framework
Phantom Persistence — Persistence mechanism abusing OS update-reboot functionality

No CVE assigned at the time of publication.

What to do

The source article does not provide explicit mitigation recommendations. However, defensive measures should include:

Treat unexpected tax authority correspondence with heightened scrutiny, particularly emails requesting immediate archive downloads or file execution.
Block or sandbox archives hosted on non-standard or suspicious domains, particularly those matching patterns like abc[.]haijing88[.]com.
Monitor for suspicious reboot behavior and shutdown signal interception at the OS level.
Review logs for unexpected ValleyRAT or ABCDoor C2 communications over HTTPS.
Apply network-level geofencing detection rules if your organization operates outside India, Indonesia, South Africa, Russia, Cambodia, and Japan, to flag inbound traffic from these regions that may indicate reconnaissance.
Enforce code execution policies to restrict execution of nested archives and self-extracting executables from untrusted sources.

Open questions

The advisory does not specify the exact number of organizations impacted; only email volume is provided.
The complete list of affected sectors is estimated but not exhaustively documented.
Current campaign status and whether new variants are being deployed as of publication is unclear.
Whether affected organizations or vendors have released patches or detection signatures is not stated.
The confidence level for attribution to a China-based actor is not quantified in the source material.