A China-based cybercrime group identified as Silver Fox has been linked to a new malicious campaign that has targeted organizations in Russia and India with novel malware named ABCDoor. The sophisticated operation, detected by cybersecurity researchers, utilized phishing emails impersonating official tax departments to deliver the malware, highlighting a concerning trend in supply chain attacks and the evolving tactics of sophisticated threat actors.
The recent cyber espionage revelations indicate that Silver Fox orchestrated two distinct waves of attacks. The initial phase, commencing in December 2025, focused on Indian entities by spoofing communications from the Income Tax Department. This was swiftly followed by a similar campaign aimed at Russian organizations, employing a nearly identical modus operandi. Both campaigns leveraged phishing emails designed to appear as official notices concerning tax audits or encouraging the download of an archive containing a purported “list of tax violations.” More than 1,600 such phishing emails were identified between early January and early February 2026.
Silver Fox Targets India and Russia with ABCDoor Malware
The identified attack chain initiated with phishing emails containing a PDF file, which, upon interaction, provided clickable links leading to the download of a ZIP or RAR archive. These archives were hosted on a compromised domain. In the December 2025 campaign, the malicious code was directly embedded within the email attachments. The payload within the archive was an executable file cleverly disguised to resemble a PDF document. This binary is a modified version of RustSL, an open-source shellcode loader and antivirus bypass framework.
Security researchers from Kaspersky noted that the structure of these phishing waves involved the delivery of a new plugin for the known ValleyRAT backdoor. This plugin functions as a loader for a previously undocumented Python-based backdoor, codenamed ABCDoor. This malware has been part of the threat actor’s toolkit since at least December 19, 2024, and its deployment in cyber attacks began in February or March 2025. The targeted sectors include industrial, consulting, retail, and transportation.
Technical Sophistication and Geofencing in the Attack Chain
The RustSL variant employed by Silver Fox demonstrated a core objective: to unpack an encrypted malicious payload. Crucially, it incorporated sophisticated country-based geofencing and environment checks to detect the presence of virtual machines and sandboxes, a common tactic to evade security analysis. While the publicly available GitHub variant of RustSL primarily had China in its country list, the bespoke version utilized in these attacks specifically included India, Indonesia, South Africa, Russia, and Cambodia.
One variant of the loader was observed implementing a novel persistence mechanism referred to as “Phantom Persistence.” This technique abuses system functionality designed to allow applications requiring a reboot for updates to complete their installation. Attackers intercept the system shutdown signal, halt the normal shutdown process, and trigger a reboot under the pretense of a malware update. Consequently, the loader ensures its execution upon the next operating system startup.
Following the initial payload delivery by RustSL, an encrypted ValleyRAT (also known as Winos 4.0) malware was downloaded. The core component of ValleyRAT is responsible for command-and-control (C2) communications, command execution, and the retrieval and execution of additional modules. After a secondary geofencing check, a custom module deployed as part of the attack was ABCDoor. This backdoor establishes communication with an external server via HTTPS.
ABCDoor processes incoming messages to facilitate its persistence on the compromised system, manage its own updates and removal processes, collect sensitive data such as screenshots, enable remote mouse and keyboard control, perform file system operations, manage system processes, and exfiltrate clipboard contents. As recently as November 2025, Silver Fox was observed utilizing a JavaScript loader to deliver ABCDoor, with this loader being distributed via self-extracting (SFX) archives packaged within ZIP archives, likely sent through phishing emails.
Evolving Threat Landscape and Geographic Focus
Newer versions of RustSL have expanded their geographic targeting, with Japan now included in their scope. The highest concentration of observed attacks has been detected in India, Russia, and Indonesia, with subsequent detections in South Africa and Japan. The prevalent use of tax-themed lures in most loader samples discovered reinforces the consistent infection sequence employed by the group.
According to security researchers at S2W, since 2024, Silver Fox has evolved into a dual-track operational model. This approach enables them to simultaneously conduct profitable, extensive opportunistic activities and targeted espionage operations. Initially, the group concentrated its attacks within China but later broadened its operational scope to include Taiwan and Japan. Silver Fox primarily employs highly customized spear-phishing techniques for initial infiltration, deploying sophisticated and diversified attack scenarios tailored to the seasonal concerns and work characteristics of their target countries.
The ongoing evolution of Silver Fox’s tactics, particularly the introduction of ABCDoor and the refined geofencing capabilities, suggests a persistent and adaptive threat actor. Organizations in the affected regions, and those with international operations, should remain vigilant and review their endpoint security and email filtering defenses. Future activity from Silver Fox is likely to continue leveraging social engineering tactics and evolving malware strains to achieve its objectives, with potential for expanded targeting based on geopolitical and economic factors.