**Silver Fox**, a China-based cybercrime group, is targeting organizations in Russia and India with a new malware called **ABCDoor**. The group's activities involve phishing campaigns mimicking correspondence from the **Income Tax Department of India**, followed by similar attacks aimed at Russian entities. ### Campaign Details The phishing emails, observed in December 2025, posed as official notices regarding tax audits or prompted users to download an archive containing a 'list of tax violations.' According to **Kaspersky**, the archives contained a modified Rust-based loader that downloads and executes the well-known ValleyRAT backdoor. The campaign has impacted organizations across the industrial, consulting, retail, and transportation sectors, with over 1,600 phishing emails flagged between early January and early February. ### ABCDoor Backdoor A key element of these phishing waves is the delivery of a new ValleyRAT plugin, functioning as a loader for the previously undocumented **ABCDoor**. This Python-based backdoor has been part of the threat actor's arsenal since at least December 19, 2024, and has been actively used in cyberattacks since February or March 2025. The attack chain begins with a phishing email containing a PDF file with links to download a ZIP or RAR archive hosted on a malicious domain. In the December 2025 campaign, the malicious code was embedded directly within the email attachments. ### RustSL Loader and Phantom Persistence Within the archive is an executable mimicking a PDF file. This binary is a modified version of an open-source shellcode loader and antivirus bypass framework called **RustSL**. Silver Fox's initial use of RustSL was recorded in late December 2025. The **Silver Fox** RustSL variant unpacks the encrypted malicious payload while implementing country-based geofencing and environment checks to detect virtual machines and sandboxes. The bespoke version includes India, Indonesia, South Africa, Russia, and Cambodia in its country list. One variant of the loader employs a technique called **Phantom Persistence** to establish persistence on the compromised host. This technique, first documented in June 2025, abuses the system shutdown signal to trigger a reboot under the guise of a malware update.  ### ValleyRAT and ABCDoor Functionality The encrypted payload loaded by RustSL leads to the download of the encrypted ValleyRAT (aka Winos 4.0) malware. The core component is responsible for command-and-control (C2) communications, command execution, and retrieval and execution of additional modules. **ABCDoor**, deployed as a custom module, contacts an external server via HTTPS and processes incoming messages to facilitate persistence, handle backdoor updates and removal, collect data (screenshots), enable remote mouse and keyboard control, perform file system operations, manage system processes, and exfiltrate clipboard contents. ### Evolution of Silver Fox As of November 2025, **Silver Fox** has been observed using a JavaScript loader to deliver **ABCDoor**, distributed via self-extracting (SFX) archives packaged inside ZIP archives, likely sent via phishing emails. Newer versions of RustSL have expanded the geographic focus to include Japan. The highest number of attacks have been detected in India, Russia, and Indonesia, followed by South Africa and Japan. Most discovered loader samples have used tax-themed lures. According to **S2W**, since 2024, **Silver Fox** has evolved into a dual-track operational model, conducting both profitable opportunistic activities and espionage. Initially targeting China, the group later expanded its operations to Taiwan and Japan. **Silver Fox** primarily utilizes highly customized spear phishing techniques for initial infiltration, deploying sophisticated and diversified attack scenarios tailored to the seasonal issues and work characteristics of the target country.