Silver Fox Threat Group Unleashes ABCDoor Backdoor in Phishing Campaigns Against Russia and India

Overview

In late 2025 and early 2026, cybersecurity researchers identified a series of sophisticated phishing campaigns targeting organizations in India and Russia. The attacks, attributed to the threat group known as Silver Fox, leveraged a previously undocumented Python-based backdoor dubbed ABCDoor. This backdoor was delivered through a multi-stage infection chain involving a modified Rust-based loader and the well-known ValleyRAT remote access trojan. The campaigns primarily impersonated tax authorities to trick victims into downloading malicious archives, impacting over 1,600 emails across industrial, consulting, retail, and transportation sectors between January and February 2026.

Phishing Campaigns Target Tax Authorities

Russian Campaign (January 2026)

The January 2026 wave targeted Russian organizations with emails styled as official notices from the tax service. Victims received a PDF attachment containing two clickable links that led to a malicious website: abc.haijing88[.]com/uploads/фнс/фнс.zip. This archive housed a modified version of the Rust-based loader called RustSL, whose source code is publicly available on GitHub. The loader then downloaded and executed ValleyRAT, a remote access trojan known for its data-stealing capabilities.

Indian Campaign (December 2025)

In December 2025, a similar campaign impersonated the Indian tax service. Victims received emails with the subject line referencing a “list of tax violations” and an attached archive named ITD.-.rar. Inside was a single executable file, Click File.exe, disguised with an Adobe PDF icon. This file was the RustSL loader. A second wave in late December used a PDF titled GST.pdf containing links to hxxps://abc.haijing88[.]com/uploads/印度邮箱/CBDT.rar (where “印度邮箱” translates from Chinese as “Indian mailbox”). Both approaches exploited the perceived urgency of tax correspondence to bypass email security gateways; the use of PDF-embedded links instead of direct attachments increased the likelihood of reaching the target.

The Attack Chain: From RustSL Loader to ValleyRAT

The attack chain relied on a multi-stage process. After the victim downloaded and executed the RustSL loader, it contacted a command-and-control server to retrieve the ValleyRAT payload. ValleyRAT then established persistent access, enabling attackers to steal credentials, monitor keystrokes, and deploy additional malicious modules. During the investigation, researchers discovered that the attackers used a new ValleyRAT plugin that acted as a loader for a previously undocumented Python-based backdoor, which was named ABCDoor.

Discovery of the ABCDoor Backdoor

The ABCDoor backdoor is a Python-based tool that provides remote control over infected systems. According to retrospective analysis, ABCDoor has been part of the Silver Fox arsenal since at least late 2024 and was actively used in real-world attacks from the first quarter of 2025 onward. The backdoor communicates over HTTP/S, supports file upload/download, command execution, and data exfiltration. Its modular design allows it to be updated or replaced without changing the core infection. The discovery of ABCDoor highlights the group’s continuous evolution and adaptation of their toolset.

Conclusion and Indicators

Silver Fox remains an active threat, regularly refining its phishing techniques and malware arsenal. Organizations in Russia and India, particularly those in industrial, consulting, retail, and transportation sectors, should remain vigilant against tax-themed phishing attempts. Recommended security measures include employee awareness training, advanced email filtering, and endpoint detection systems capable of identifying RustSL and ValleyRAT behavior. For detailed indicators of compromise (IoCs) such as domains, hashes, and C2 servers, refer to the full technical report.