Silver Fox Threat Actor Deploys New 'ABCDoor' Malware in Tax-Themed Phishing Campaign
The Chinese threat actor Silver Fox is targeting organizations in India and Russia with tax-themed phishing emails that deliver a new, stealthy backdoor called ABCDoor alongside established remote access Trojans.
The Chinese-linked threat actor known as Silver Fox has launched a sophisticated phishing campaign targeting organizations across India and Russia. By leveraging tax-themed lures, the group has successfully distributed a mix of established remote access Trojans and a newly identified, stealthy backdoor dubbed "ABCDoor." According to Dark Reading, the campaign began in December 2025, initially impersonating Indian tax authorities before expanding its scope to Russian entities in January 2026.
The attack chain relies on social engineering, with emails masquerading as official notices regarding tax audits or lists of tax violations. These messages prompt recipients to download malicious archives or click links that lead to attacker-controlled infrastructure. Once the user interacts with these files, a modified Rust-based loader—adapted from a public repository—is executed to deploy the final payloads. Kaspersky researchers observed over 1,600 malicious messages between early January and early February, impacting sectors including industrial, consulting, retail, and transportation Dark Reading.
The primary payload of note is "ABCDoor," a previously undocumented Python-based backdoor that has been active since late 2024. To evade detection, ABCDoor runs under the legitimate `pythonw.exe` process and establishes persistence through Windows Registry Run keys and scheduled tasks. Its capabilities are highly intrusive, focusing on covert remote interaction such as multimonitor screen streaming via FFmpeg, remote mouse and keyboard control, and clipboard theft. It also features self-updating and self-removal mechanisms Dark Reading.
In addition to ABCDoor, the group continues to utilize the well-known ValleyRAT backdoor. The attackers have demonstrated a high degree of customization, particularly with their Rust-based loader, which they have heavily modified to suit their specific operational needs. The malware leaves forensic artifacts in the Windows registry and `%LOCALAPPDATA%` directories, which security teams are encouraged to monitor for signs of compromise Dark Reading.
The success of this campaign highlights the persistent effectiveness of tax-themed social engineering. By invoking the authority of government agencies, attackers create a sense of urgency that often bypasses standard user caution. As noted by industry experts, this tactic exploits a fundamental human vulnerability, making it a reliable method for threat actors to gain an initial foothold in diverse corporate environments Dark Reading.
This campaign underscores the evolving tactics of Silver Fox, a group that continues to refine its arsenal by blending public-domain tools with proprietary, stealthy malware. As organizations continue to expand their attack surfaces through new integrations and cloud assets, the challenge of defending against such targeted, human-centric attacks remains a critical priority for security operations centers globally. Dark Reading notes that while defenders must maintain constant vigilance, attackers only require a single successful interaction to compromise a system.