VYPR
researchPublished May 4, 2026· Updated May 17, 2026· 1 source

Silver Fox Threat Actor Deploys New 'ABCDoor' Backdoor in Targeted Phishing Campaign

The China-based cybercrime group Silver Fox is targeting organizations in India and Russia with a new Python-based backdoor called ABCDoor, delivered via sophisticated tax-themed phishing campaigns.

The China-based threat actor known as Silver Fox—also tracked as Monarch, SwimSnake, and Void Arachne—has launched a sophisticated phishing campaign targeting organizations in India and Russia. By masquerading as official tax authorities, the group has successfully deployed a new Python-based backdoor dubbed ABCDoor, alongside the established ValleyRAT malware The Hacker News.

The attack chain typically begins with phishing emails disguised as tax audit notices or lists of tax violations. These emails contain either direct attachments or links to ZIP/RAR archives hosted on the domain abc.haijing88[.]com. Inside these archives, users find an executable disguised as a PDF, which is actually a custom variant of RustSL, an open-source shellcode loader and antivirus bypass framework. Silver Fox has been observed using this RustSL variant since late December 2025 to unpack encrypted payloads while performing environment checks to evade virtual machines and sandboxes The Hacker News.

A critical feature of this campaign is the use of "Phantom Persistence," a technique first documented in June 2025. The malware intercepts system shutdown signals, halting the process to trigger a fake update sequence. This forces the system to execute the malicious loader upon the next startup, ensuring the threat remains active on the compromised host The Hacker News.

Once the initial loader executes, it deploys ValleyRAT (also known as Winos 4.0). This backdoor serves as the primary command-and-control (C2) hub, handling communications and executing further modules. Among these is the newly identified ABCDoor, a Python-based backdoor that has been in the group's arsenal since at least December 2024. ABCDoor enables extensive remote control, including file system manipulation, process management, screenshot capture, and clipboard exfiltration The Hacker News.

The campaign has impacted diverse sectors, including industrial, consulting, retail, and transportation. Between early January and early February 2026 alone, researchers flagged over 1,600 phishing emails. The threat actors have demonstrated a clear focus on geographic targeting; while the public version of the RustSL loader only includes China in its geofencing list, the Silver Fox variant specifically targets India, Indonesia, South Africa, Russia, Cambodia, and more recently, Japan The Hacker News.

This activity highlights the evolving tactics of Silver Fox as they refine their delivery mechanisms. While they previously utilized JavaScript loaders in November 2025, the shift to modified RustSL loaders and the integration of ABCDoor suggests a concerted effort to improve persistence and evade detection. Organizations in the targeted regions are advised to remain vigilant against tax-themed correspondence and to scrutinize unexpected archive files, as the group continues to expand its geographic reach and technical capabilities The Hacker News.

Synthesized by Vypr AI