Ethical Hacking News
A new malware campaign by Silver Fox has been detected targeting organizations in India and Russia with a tax-themed phishing email called ABCDoor. The email campaign delivers modified Rust-based loader pulled from a public repository, which ultimately leads to the delivery of a well-known ValleyRAT backdoor codenamed ABCDoor. This article provides a detailed analysis of the threat actor's tactics and techniques used in this campaign and offers insights into how organizations can protect themselves against such threats.
The Silver Fox group has launched a new malware campaign targeting organizations in Russia, India, and Indonesia with tax-themed phishing lures. The campaign uses a modified Rust-based loader called ABCDoor to deliver the malicious payload, which includes the ValleyRAT (aka Winos 4.0) malware. The Silver Fox group employs country-based geofencing and environment checks to detect virtual machines and sandboxes. The loader uses a novel called Phantom Persistence to establish persistence on the compromised host. The campaign has expanded its geographic focus to include Japan, with newer versions of RustSL using tax-themed lures. The majority of loader samples discovered have employed tax-themed lures to imitate the infection sequence.
The world of cybersecurity has witnessed numerous threats in recent times, but a new malware campaign has emerged that is catching the attention of experts. According to Kaspersky, a well-known cybersecurity firm, Silver Fox has been linked to a new campaign targeting organizations in Russia and India with a malicious email called ABCDoor. This email campaign utilizes tax-themed phishing lures to trick users into downloading an archive containing a 'list of tax violations,' which ultimately leads to the delivery of a modified Rust-based loader pulled from a public repository.
The activity began in December 2025, and it has since been detected in several countries across the industrial, consulting, retail, and transportation sectors. Notably, more than 1,600 phishing emails were flagged between early January and early February. The malicious code is said to have been embedded directly within the files attached to the email.
Present within the archive is an executable that mimics a PDF file. This binary is a modified version of an open-source shellcode loader and antivirus bypass framework called RustSL. Silver Fox's first recorded use of RustSL dates back to late December 2025. The end goal of the Silver Fox RustSL variant is to unpack the encrypted malicious payload, while implementing country-based geofencing and environment checks to detect virtual machines and sandboxes.
The loader has been found to employ a novel called Phantom Persistence to establish persistence on the compromised host. This was first documented in June 2025. The encrypted payload loaded by RustSL results in the download of the encrypted ValleyRAT (aka Winos 4.0) malware, with the core component ("login-module.dll_bin") responsible for command-and-control (C2) communications, command execution, and retrieval and execution of additional modules.
One of the custom modules deployed as part of the attack following a second geofencing check is ABCDoor, which contacts an external server via HTTPS and processes incoming messages to facilitate persistence, handle backdoor updates and removal, collect data such as screenshots, enable remote mouse and keyboard control, perform file system operations, manage system processes, and exfiltrate clipboard contents.
Silver Fox has been observed using a JavaScript loader to deliver ABCDoor, with the loader distributed via self-extracting (SFX) archives that were packaged inside ZIP archives likely sent via phishing emails. Newer versions of RustSL have since expanded the geographic focus to include Japan.
The highest number of attacks has been detected in India, Russia, and Indonesia, followed by South Africa and Japan. The majority of loader samples discovered have employed tax-themed lures to imitate the infection sequence.
The Silver Fox group primarily utilizes highly customized spear phishing techniques for initial infiltration, deploying sophisticated and diversified attack scenarios tailored to the seasonal issues of the target country and the target's work characteristics. Since 2024, [Silver Fox] has evolved into a dual-track operational model that simultaneously conducts profitable extensive opportunistic activities and espionage activities.
The use of tax-themed phishing lures in this campaign is noteworthy as it represents an evolution in the tactics, techniques, and procedures (TTPs) employed by threat actors. In recent times, threats have primarily focused on exploiting vulnerabilities or using social engineering tactics to trick users into divulging sensitive information. The inclusion of tax-themed phishing lures in this campaign highlights the adaptability and creativity of cybercriminals.
The impact of this malware campaign cannot be overstated. Organizations across various sectors have been targeted, resulting in potential data breaches and exposure to malicious activities. It is essential for these organizations to remain vigilant and take proactive measures to prevent such attacks.
In conclusion, the Silver Fox group has demonstrated its ability to evolve and adapt its tactics, resulting in a sophisticated phishing campaign that utilizes tax-themed lures to trick users into downloading malicious software. Organizations must prioritize cybersecurity and stay informed about emerging threats to protect themselves against potential data breaches and malicious activities.
Related Information:
https://www.ethicalhackingnews.com/articles/Silver-Fox-Unleashes-ABCDoor-Malware-via-Tax-Themed-Phishing-Campaign-Targeting-India-and-Russia-ehn.shtml
https://thehackernews.com/2026/05/silver-fox-deploys-abcdoor-malware-via.html
https://www.imtr.net/article/silver-fox-deploys-abcdoor-malware-via-tax-themed-phishing-in-india-and-russia-6c96
Published: Mon May 4 07:36:41 2026 by llama3.2 3B Q4_K_M
