Silver Fox Deploys ABCDoor Malware via Tax-Themed Phishing in India and Russia
Silver Fox Deploys ABCDoor Malware via Tax-Themed Phishing in India and Russia
https://thehackernews.com/2026/05/silver-fox-deploys-abcdoor-malware-via.html
Publish Date: 2026-05-04 07:57:00
Source Domain: thehackernews.com
The China-based cybercrime group known as Silver Fox has been linked to a new campaign targeting organizations in Russia and India with a new malware called ABCDoor.
The activity involved using phishing emails that mimic correspondence from the Income Tax Department of India in December 2025, followed by a similar campaign aimed at Russian entities.
“Both waves followed a nearly identical structure: phishing emails were styled as official notices regarding tax audits or prompted users to download an archive containing a ‘list of tax violations,'” Kaspersky said. “Inside the archive was a modified Rust-based loader pulled from a public repository. This loader would download and execute the well-known ValleyRAT backdoor.”
The campaign is estimated to have impacted organizations across the industrial, consulting, retail, and transportation sectors. More than 1,600 phishing emails were flagged between early January and early February.
What’s notable about these phishing waves is the delivery of a new ValleyRAT plugin that functions as a loader for a previously undocumented Python-based backdoor codenamed ABCDoor. The backdoor, per the Russian cybersecurity company, has been part of the threat actor’s arsenal since at least December 19, 2024, and was put to use in cyber attacks beginning February or March 2025.
The starting point of the attack chain is a phishing email containing a PDF file, which features two clickable links that lead to the download of a ZIP or RAR archive hosted on “abc.haijing88[.]com.” In the campaign detected in December 2025, the malicious code is said to have been embedded directly within the files attached to the email.
Present within the archive is an executable that mimics a PDF file. The binary is a modified version of an open-source shellcode loader and antivirus bypass framework called RustSL. Silver Fox’s first recorded use of RustSL dates back to late December 2025.
The…
