-
The China-based Silver Fox group targets India and Russia using tax-themed phishing emails that deliver a modified RustSL loader and the ValleyRAT backdoor.
-
The attacks deployed a new Python-based backdoor called ABCDoor, this gives attackers full remote control including screenshot capture, file operations, and clipboard exfiltration.
-
The group evolved into a dual-track operation since 2024, conducting both profit-driven opportunistic attacks and espionage across China, Taiwan, Japan, India, Russia, and Indonesia.
A Chinese cybercriminal organization called Silver Fox has recently launched phishing attacks on Indian and Russian entities. The fraudulent emails resemble messages from the tax department – they aim to trick the users to download a new, unidentifiable malware program called ABCDoor.
According to Kaspersky, a Russian cybersecurity provider, the campaigns received publicity on May 4, 2026. The initial wave of attacks against Indian entities occurred in December 2025, with emails designed to appear as if coming from the Indian Income Tax Department. A second campaign followed in January 2026 aimed at Russian entities. Both waves followed nearly identical structures, with phishing emails styled as official audit notifications.
Researchers have estimated that this attack has affected a number of lines of business including industrial, consulting, retail and transportation firms. In total, they identified over 1600 phishing emails as part of this campaign from early January through early February this year.
Attackers use two-stage malware to bypass security defenses
The phishing emails contained PDF files with two clickable links, the attackers provided links in the email that directed victims to download ZIP or RAR archive files from a malicious domain. In the phishing emails campaign of December 2025, the attackers embedded the malicious code in the email’s attachments, instead of hosting it remotely.
Inside each archive sat an executable file disguised as a PDF document. This binary represents a modified version of an open-source shellcode loader called RustSL. Silver Fox’s first recorded use of this loader dates back to late December last year.
The customized RustSL variant unpacks encrypted malicious payloads while implementing country-based geofencing. Also, it performs environment checks to detect virtual machines and sandboxes, this allows the malware avoid analysis of some security researchers. While the original GitHub version only includes China in its country list, the Silver Fox variant features India, Indonesia, South Africa, Russia, and Cambodia.
Some loader variants employ a novel persistence method called Phantom Persistence, first documented in June 2025. This technique abuses functionality designed for applications that require a reboot to complete updates. The attackers interrupt the shutdown signal from the system, halt the usual shutdown process, and force a reboot under the guise of a malware update.
ABCDoor backdoor gives attackers full remote control
The encrypted payload which the RustSL triggers will download ValleyRAT, also known as Winos 4.0, a well-known remote access trojan. The core component handles command-and-control communications, executes commands, and retrieves additional malicious modules.
After passing a second geofencing check, the attack deploys ABCDoor, a previously undocumented Python-based backdoor. Kaspersky reports that ABCDoor has been part of Silver Fox’s arsenal since at least December 19, 2024. The group began using it in actual cyber-attacks starting in February or March last year.
ABCDoor contacts an external server via HTTPS and works on incoming messages to carry out different malicious functions. The backdoor establishes persistence on compromised systems, handles its own updates and removal, collects screenshots, enables remote mouse and keyboard control, performs file system operations, manages system processes, and exfiltrates clipboard contents.
As recently as November last year, Silver Fox delivered ABCDoor using a JavaScript loader distributed through self-extracting archives. Newer versions of RustSL have since expanded the geographic focus to include Japan.
Singapore appears to be another key target for Chinese-linked cyber operations. A recent espionage campaign targeted the country’s telecom sector with sophisticated tactics.
Silver fox evolves into dual-track criminal operation
The highest number of attacks has occurred in India, Russia, and Indonesia, followed by South Africa and Japan. The majority of the discovered loader samples have employed tax-like tricks to imitate the infection sequence.
Since 2024, Silver Fox has evolved into a dual-track operational model. The group simultaneously conducts profitable opportunistic activities alongside espionage operations. In the early stages, the group targeted China primarily. Later, the group expanded its operational scope to Taiwan and Japan.
The group primarily uses highly personalized spear phishing approaches for initial infiltration. They deploy sophisticated and diverse attack instances tailored to seasonal issues in each target country and the specific work characteristics of their targets.
Organizations in affected regions should train employees to recognize phishing emails, especially those claiming to come from tax authorities. Also, security teams should monitor for unusual system shutdown behaviors that might indicate Phantom Persistence attacks.
