Silver Fox Uses New ABCDoor Backdoor to Target Organizations in Russia and India via Tax Impersonation
Silver Fox has launched a tax-themed phishing campaign across India, Russia, Indonesia, and Japan — deploying ValleyRAT and the newly documented ABCDoor Python backdoor via fake tax authority notifications.
Silver Fox is impersonating tax authorities across India, Russia, and Japan to deploy ValleyRAT and the newly documented ABCDoor Python backdoor — with Phantom Persistence making standard remediation insufficient.
INDIA / RUSSIA — The campaign begins with phishing emails designed to look like official correspondence from local tax authorities. Targets in India received emails impersonating the Indian Income Tax Department; targets in Russia received near-identical lures from Russian tax services. In both cases, the email prompted victims to download an archive containing a "list of tax violations." Inside: a modified Rust-based loader that downloaded and executed ValleyRAT, and in more recent variants, ABCDoor.
Campaign profile
ABCDoor: the new tool
ABCDoor is a Python-based backdoor providing bidirectional file transfer and real-time remote control of infected devices, supporting simultaneous management of multiple compromised hosts. The campaign's loader uses the Phantom Persistence technique: when a shutdown signal is detected, malware intercepts the sequence, halts normal shutdown, and triggers a reboot framed as a software update, restoring itself in the process. For the full picture on China-aligned threat actors operating in similar geographies, see our coverage of Mustang Panda's expansion into India's banking sector. All active threat intelligence coverage is tracked on The CyberSignal.
Geographic expansion
Silver Fox was previously associated primarily with Chinese-speaking targets. The deliberate addition of Russia as a primary target — 17% of detected attacks — and Japan in January 2026 represents significant operational expansion, suggesting either a broader intelligence mandate or contracted tasking with a wider geographic aperture.
What to do now
Treat any tax-related email prompting a file download as suspect regardless of apparent sender authority. Hunt for ValleyRAT indicators and ABCDoor Python processes in endpoint environments. Monitor for Phantom Persistence behavior: unexpected reboot cycles or "pending update" notifications on unscheduled endpoints. Restrict Python interpreter access on non-developer workstations. Understanding the full lifecycle of advanced persistent threats helps defenders recognize the patient, multi-stage approach Silver Fox deploys.
The CyberSignal Analysis
Signal 01 — Tax impersonation is the most reliable social engineering vector
Tax authority lures create urgency that overrides security skepticism — the email looks official, the archive looks relevant, and the victim downloads before thinking to verify. User awareness training focused on generic phishing indicators fails against well-constructed, jurisdiction-specific tax lures that reference real processes and deadlines.
Signal 02 — Adding Russia to the target list signals strategic expansion
China-aligned groups historically focused on Western and Asian targets. Russian industry being added as a primary victim — 17% of attacks — either reflects independent Silver Fox criminal expansion or a shift in tasking reflecting shifting dynamics in the Sino-Russian relationship.
Signal 03 — Phantom Persistence changes the remediation equation
Phantom Persistence means the standard IR playbook of "isolate, reboot, re-image" is insufficient. Organizations that discover Silver Fox malware must assume Phantom Persistence is active and plan full forensic remediation. Standard IR runbooks need updating to account for reboot-resistant persistence techniques.
