Silver Fox APT Deploys New ABCDoor Backdoor in Tax-Themed Phishing Campaigns Against Russia and ValleyRAT Attacks

The Silver Fox advanced persistent threat group has been observed conducting a sophisticated phishing campaign targeting organizations in Russia and India, using emails that impersonate tax authorities to deliver a modified Rust-based loader and a previously undocumented Python-based backdoor named ABCDoor. The campaign, which began in December 2025 and escalated through early 2026, has impacted industrial, consulting, retail, and transportation sectors, with over 1,600 malicious emails recorded between January and February 2026.

The attack chain starts with phishing emails styled as official tax notices, often containing PDF attachments with embedded download links or malicious archives. In the January 2026 wave targeting Russian organizations, victims received emails purportedly from the tax service with a PDF containing links to a malicious website hosting a ZIP archive. The December 2025 campaign targeting Indian organizations used emails sent via the SendGrid cloud platform, with archives containing executable files disguised as PDFs. This technique of using download links within PDFs is specifically designed to bypass email security gateways, as the attached document only contains a link that requires further analysis.

Once the victim downloads and executes the payload, a modified version of the Rust-based loader RustSL is deployed. This loader, whose source code is publicly available on GitHub with a description in Chinese, features extensive customization options including eight payload encryption methods, thirteen memory allocation methods, twelve sandbox and virtual machine detection techniques, and thirteen payload execution methods. The Silver Fox group modified this loader, adding a module named steganography.rs that implements the unpacking logic for the malicious payload, despite the name having little to do with actual steganography.

The RustSL loader then downloads and executes the well-known ValleyRAT backdoor, a remote access trojan commonly used by Chinese-speaking threat actors. During their investigation, researchers from Securelist also discovered that the attackers were delivering a new ValleyRAT plugin to victim devices, which functioned as a loader for a previously undocumented Python-based backdoor named ABCDoor. Retrospective analysis reveals that ABCDoor has been part of the Silver Fox arsenal since at least late 2024 and has been utilized in real-world attacks from the first quarter of 2025 to the present day.

The campaign's impact has been significant, affecting organizations across multiple sectors. The use of tax-themed lures is a common tactic among threat actors, as it exploits the perceived importance of tax authority correspondence to convince victims to download malicious documents. The Silver Fox group, also known as TA444 or the GOLD RUSH group, has been active since at least 2022 and is known for targeting organizations in Asia and Eastern and Europe with ransomware and data theft attacks.

Organizations in Russia and India should be particularly vigilant, as the campaign continues to evolve. The use of modified open-source tools like RustSL and the development of custom backdoors like ABCDoor demonstrate the group's technical sophistication and adaptability. Security teams should implement email security measures that can detect and block phishing attempts, even those that use PDF attachments with embedded links, and ensure that employees are trained to recognize and report suspicious emails.

The discovery of ABCDoor highlights the ongoing evolution of the Silver Fox group's capabilities and the importance of continuous monitoring and threat intelligence sharing. As the group continues to refine its tactics, techniques, and procedures, organizations must remain proactive in their defense strategies to mitigate the risk of compromise.