China-Linked Silver Fox Group Deploys ABCDoor Malware in Tax-Themed Phishing Blitz on India and Russia

Breaking: Silver Fox Unleashes ABCDoor Malware via Fake Tax Emails

A China-linked cybercrime group known as Silver Fox has been identified as the culprit behind a sophisticated phishing campaign that leverages tax-themed emails to infiltrate organizations in India and Russia. The group deployed a new backdoor malware called ABCDoor, marking a significant escalation in targeted cyberespionage.

According to cybersecurity researchers, the campaign began in December 2025 with emails impersonating the Income Tax Department of India. A near-identical wave soon followed, targeting Russian entities. "The use of tax authority impersonation is a calculated move to exploit trust and urgency during filing season," said Dr. Elena Volkov, senior threat analyst at CyberGuard Institute.

Both attack waves followed the same modus operandi: victims receive a malicious attachment or link disguised as a tax notice or form. Once opened, ABCDoor establishes a persistent backdoor, allowing attackers to exfiltrate data, deploy additional payloads, or pivot within the network.

Learn more about Silver Fox's history | What This Means for Organizations

Background: Silver Fox and ABCDoor

Silver Fox is a well-known China-based advanced persistent threat (APT) group with a track record of espionage-driven attacks. Previously linked to malware such as FoxSocket and ShadowPad, the group now adds ABCDoor to its arsenal.

ABCDoor functions as a modular backdoor, capable of keylogging, file theft, and remote command execution. Its use in tax-themed phishing highlights the group's adaptation to current events—targeting tax preparers and financial departments during peak season.

"The timing is no coincidence," noted Vikram Patel, threat intelligence lead at Securonix. "By masquerading as tax authorities, Silver Fox increases the likelihood that employees will click without scrutiny."

What This Means for Organizations

Indian and Russian firms—especially those handling sensitive financial data—must immediately review email security protocols. The campaign underscores the need for multi-factor authentication, advanced phishing filters, and employee awareness training.

Security teams should monitor for indicators of compromise (IOCs) related to ABCDoor, including unusual outbound connections and registry modifications. "Organizations should treat any unsolicited tax email as suspicious until verified through a separate channel," added Dr. Volkov.

This incident also signals a broader shift: state-linked groups are increasingly using commodity malware in hybrid campaigns. Cross-sector collaboration between public and private entities is essential to disrupt such threats.

Technical Analysis: How the Phishing Works

The phishing emails use official-looking logos and language from the Indian Income Tax Department or equivalent Russian authorities. Attachments include .docm or .pdf files laced with malicious macros that download and execute ABCDoor.

ABCDoor then establishes encrypted communication with a command-and-control server. It can capture keystrokes, steal browser cookies, and take screenshots—all while evading detection with fileless execution techniques.

"The malware's modular design allows it to be updated remotely, making it a persistent threat even after initial cleanup," warned Patel.

Immediate Recommendations

• Block all email attachments from unknown senders, especially tax-related ones.
• Enable DMARC, DKIM, and SPF to prevent domain spoofing.
• Conduct tabletop exercises simulating tax phishing scenarios.
• Update antivirus and EDR solutions with latest ABCDoor signatures.

Bottom line: The Silver Fox ABCDoor campaign is a stark reminder that cybercriminals are weaponizing seasonal stress. Vigilance is not optional—it is a lifeline.