Introduction
In late 2025 and early 2026, a sophisticated threat actor known as Silver Fox orchestrated a series of targeted phishing campaigns aimed at organizations in Russia and India. The attacks leveraged tax‑related lures to deliver a new, previously undocumented Python‑based backdoor named ABCDoor. Security researchers uncovered that ABCDoor has been part of Silver Fox’s arsenal since at least late 2024 and has been actively used in real‑world attacks from the first quarter of 2025 onward. This article delves into the campaign’s techniques, the modified loaders used, and the implications for affected sectors.
The Phishing Campaigns
Both waves followed nearly identical structures, impersonating official tax authorities to trick victims into executing malware. The attackers employed two main delivery methods: malicious PDF attachments containing download links, and direct embedded executables in email attachments.
Russia‑Focused Campaign (January 2026)
In January 2026, victims in Russia received emails that appeared to come from the tax service. The messages urged recipients to review a “list of tax violations” and included a PDF attachment. The PDF contained two clickable links, both pointing to a malicious website: abc.haijing88[.]com/uploads/фнс/фнс.zip. This archive held a modified Rust‑based loader (RustSL) that subsequently downloaded and executed the well‑known ValleyRAT backdoor.
The email’s design imitated official correspondence, with formal language and logos to lower suspicion. By using download links inside the PDF, the attackers aimed to bypass email security gateways that often block direct executable attachments.
India‑Focused Campaign (December 2025 / January 2026)
In December 2025, a similar campaign targeted Indian organizations. One wave sent emails via the SendGrid cloud platform. The email contained an archive named ITD.-.rar, which included a single executable file, Click File.exe, disguised with an Adobe PDF icon – in reality the malicious RustSL loader.
Another variant, distributed in late December, had a PDF attachment named GST.pdf. This PDF contained two links redirecting to hxxps://abc.haijing88[.]com/uploads/印度邮箱/CBDT.rar. (Here, “印度邮箱” translates from Chinese as “Indian mailbox”.) The attackers again exploited the perceived urgency of tax audits to convince victims to download the archive.
Sectors affected include industrial, consulting, retail, and transportation. Between early January and early February 2026, researchers recorded over 1,600 malicious emails associated with this campaign.
Technical Analysis of the Loaders
The RustSL Loader
The attackers used a modified version of RustSL, an open‑source Rust‑based loader whose code is publicly available on GitHub. The modifications likely aimed to evade signature‑based detection and to establish a more resilient communication channel with the command‑and‑control (C2) server. Once executed on the victim’s machine, the loader fetched the next stage payload – typically ValleyRAT – from a remote server.
ValleyRAT is a known backdoor that provides attackers with remote access, keylogging, and data exfiltration capabilities. However, in this campaign, researchers discovered that the attackers also delivered a new ValleyRAT plugin that acted as a loader for an entirely different backdoor.
Introducing ABCDoor: A Novel Python‑Based Backdoor
The new plugin downloads and executes a previously undocumented Python‑based backdoor that the security community has named ABCDoor. Retrospective analysis indicates that ABCDoor has been part of the Silver Fox toolkit since at least late 2024 and has been deployed in real‑world attacks from the first quarter of 2025 through the present.
ABCDoor is designed to be stealthy and flexible. Written in Python, it likely leverages common scripting capabilities to perform reconnaissance, lateral movement, and data theft while remaining under the radar of traditional antivirus tools. The use of a Python backdoor also enables the attackers to quickly modify its behavior by swapping scripts, making detection more challenging.
Conclusion and Recommendations
The Silver Fox group continues to evolve its tactics, combining well‑known commodity malware like ValleyRAT with custom‑developed tools such as ABCDoor. Their use of tax‑themed lures demonstrates a keen understanding of human psychology – exploiting the authority and urgency of government communications.
Organizations, especially in industrial, consulting, retail, and transportation sectors, should remain vigilant. Key defensive measures include:
- Implementing advanced email filtering that can detect malicious URLs within PDF attachments.
- Training employees to recognize phishing attempts, particularly those mimicking tax authorities.
- Monitoring for unusual execution of Python scripts or unexpected Rust‑based binaries.
- Maintaining updated endpoint detection and response (EDR) systems that can identify loader behavior and backdoor communications.
As the threat landscape evolves, so must our defenses. The emergence of ABCDoor underscores the need for continuous threat intelligence and proactive security measures to stay ahead of actors like Silver Fox.