Silver Fox Expands Reach with ABCDoor Malware in Tax-Themed Phishing Campaigns

May 4, 2026 Faeem BLOGS 0

Overview The China-based cybercrime group Silver Fox has been linked to a new wave of phishing campaigns targeting organizations in India and Russia. These attacks deliver a previously undocumented Python-based backdoor called ABCDoor, alongside the group’s established ValleyRAT malware.

Attack Chain

  • Initial Lure: Phishing emails impersonating tax authorities (India’s Income Tax Department, Russian tax notices).
  • Payload Delivery:
    • Attached PDFs with links to ZIP/RAR archives hosted on attacker-controlled domains.
    • Archives contained executables disguised as PDFs, built on RustSL, an open-source shellcode loader modified for antivirus evasion.
  • Loader Behavior:
    • Unpacks encrypted payloads.
    • Implements country-based geofencing (India, Russia, Indonesia, South Africa, Cambodia).
    • Detects virtual machines and sandboxes to evade analysis.
  • Persistence: Some variants use Phantom Persistence, hijacking system shutdown signals to force malware execution at startup.

Malware Components

  • ValleyRAT (aka Winos 4.0): Handles command-and-control (C2), command execution, and module deployment.
  • ABCDoor Backdoor:
    • Communicates via HTTPS.
    • Provides persistence and update/removal capabilities.
    • Collects screenshots, clipboard data, and system information.
    • Enables remote mouse/keyboard control and file system operations.

Campaign Scope

  • Timeline: Active since late 2024, with phishing waves detected in December 2025 and early 2026.
  • Targets: Industrial, consulting, retail, and transportation sectors.
  • Scale: Over 1,600 phishing emails flagged between January–February 2026.
  • Geography: Highest activity in India, Russia, and Indonesia, with additional targeting in South Africa and Japan.

Defensive Guidance

  • User Awareness: Train staff to spot tax-themed phishing lures, especially during seasonal filing periods.
  • Attachment Controls: Block or sandbox suspicious archives and executables disguised as PDFs.
  • Network Monitoring: Watch for outbound HTTPS traffic to suspicious domains (e.g., abc.haijing88[.]com).
  • Endpoint Protection: Detect persistence techniques like Phantom Persistence and monitor for abnormal shutdown/reboot behavior.
  • Threat Intelligence: Track evolving Silver Fox tactics, which blend opportunistic campaigns with espionage operations.

Final Thought

Silver Fox’s ABCDoor campaign demonstrates how localized social engineering themes (tax audits, compliance notices) can be weaponized to deliver advanced malware. By combining Rust-based loaders, geofencing, and novel persistence techniques, the group continues to refine its dual-track model of profit-driven attacks and espionage operations. For defenders, the lesson is clear: vigilance against phishing remains the frontline defense, especially when attackers tailor lures to seasonal or regulatory contexts.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.