Silver Fox uses the new ABCDoor backdoor to target organizations in Russia and India

The Silver Fox group is targeting companies in Russia and India by impersonating tax authorities to distribute ValleyRAT and the new ABCDoor backdoor.

In December 2025, we detected a wave of malicious emails designed to look like official correspondence from the Indian tax service. A few weeks later, in January 2026, a similar campaign began targeting Russian organizations. We have attributed this activity to the Silver Fox threat group. Both waves followed a nearly identical structure: phishing emails were styled as official notices regarding tax audits or prompted users to download an archive containing a “list of tax violations”. Inside the archive was a modified Rust-based loader pulled from a public repository.

This loader would download and execute the well-known ValleyRAT backdoor. The campaign impacted organizations across the industrial, consulting, retail, and transportation sectors, with over 1600 malicious emails recorded between early January and early February. During our investigation, we also discovered that the attackers were delivering a new ValleyRAT plugin to victim devices, which functioned as a loader for a previously undocumented Python-based backdoor. We have named this backdoor ABCDoor.

Retrospective analysis reveals that ABCDoor has been part of the Silver Fox arsenal since at least late 2024 and has been utilized in real-world attacks from the first quarter of 2025 to the present day. Email campaign In the January campaign, victims received an email purportedly from the tax service with an attached PDF file. Phishing email sent to victims in Russia The PDF contained two clickable links to download an archive, both leading to a malicious website: abc. haijing88[. ]com/uploads/фнс/фнс. zip. Contents of the PDF file from the January phishing wave Contents of the фнс.

zip archive In the December campaign, the malicious code was embedded directly within the files attached to the email. Phishing email sent to victims in India The email shown in the screenshot above was sent via the SendGrid cloud platform and contained an archive named ITD. -. rar . Inside was a single executable file, Click File. exe, with an Adobe PDF icon (the RustSL loader). Contents of ITD. -. rar Additionally, in late December, emails were distributed with an attachment titled GST. pdf containing two links leading to hxxps://abc. haijing88[. ]com/uploads/印度邮箱/CBDT. rar.

(印度邮箱 translates from Chinese as “Indian mailbox”). PDF file from the phishing email Both versions of the campaign attempt to exploit the perceived importance of tax authority correspondence to convince the victim to download the document and initiate the attack chain. The method of using download links within a PDF is specifically designed to bypass email security gateways; since the attached document only contains a link that requires further analysis, it has a higher probability of reaching the recipient compared to an attachment containing malicious code.