- The China-based Silver Fox group is targeting organizations in Russia and India with a new Python backdoor called ABCDoor.
- The campaign uses phishing emails disguised as official tax notices to deliver a modified Rust-based loader called RustSL, which installs the ValleyRAT backdoor.
- The malware implements sophisticated geofencing and persistence techniques, including a novel method called Phantom Persistence, to avoid detection.
- More than 1,600 phishing emails were sent between January and February 2026, impacting industrial, consulting, retail, and transportation sectors.
- The threat actor has evolved from targeting China to a broader operational scope, now including Taiwan and Japan.
In early 2026, the cybercrime group Silver Fox launched a sophisticated malware campaign targeting entities in Russia and India, according to reports from Kaspersky. The attack delivered a previously undocumented backdoor codenamed ABCDoor via phishing emails impersonating tax authorities.
These emails mimicked official notices from the Income Tax Department of India regarding audits. Consequently, victims were tricked into downloading archives containing a malicious executable disguised as a PDF file.
The executable was a modified version of an open-source shellcode loader called RustSL, first used by the group in late December 2025. This loader performed environment checks to evade virtual machines and implemented geofencing for specific countries.
Its ultimate purpose was to unpack and install the well-known ValleyRAT backdoor. One loader variant even employed a novel persistence technique, “intercept[ing] the system shutdown signal, halt[ing] the normal shutdown sequence, and trigger[ing] a reboot under the guise of an update for the malware.”
The encrypted payload then downloaded the ABCDoor backdoor, which had been in the actor’s arsenal since at least December 2024. This Python-based tool allowed for remote control, data collection, and file exfiltration from compromised systems.
Meanwhile, the campaign’s geographic focus has expanded over time. While earlier RustSL versions only listed China, the custom variant used in these attacks included India, Indonesia, South Africa, Russia, and Cambodia.
As recently as November 2025, Silver Fox used a JavaScript loader to deliver ABCDoor. Newer RustSL loaders have since added Japan to their target list, with the highest number of attacks detected in India, Russia, and Indonesia.
The group has adopted a dual-track model for both profit and espionage. Security firm S2W noted the group “primarily utilizes highly customized spear phishing techniques for initial infiltration, deploying sophisticated and diversified attack scenarios tailored to the seasonal issues of the target country.”
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
