Silver Fox Unleashes New 'ABCDoor' Backdoor in Tax-Themed Phishing Waves Against Russia and India

Breaking: A new Rust-based backdoor named 'ABCDoor' has been deployed by the Silver Fox threat group in a series of sophisticated phishing campaigns targeting organizations in India and Russia since December 2025. Over 1,600 malicious emails were sent between early January and early February 2026, according to cybersecurity researchers tracking the group.

Read about the background of Silver Fox and these attacks.

Attack Chain: Tax Authority Impersonation

The campaigns used official-looking emails purporting to be from the Indian tax service or Russian tax authorities. Victims received PDFs or archives containing a modified Rust-based loader (RustSL) that downloads and executes the well-known ValleyRAT backdoor.

Silver Fox Unleashes New 'ABCDoor' Backdoor in Tax-Themed Phishing Waves Against Russia and India — Source: securelist.com

"The attackers leveraged the perceived authority of tax correspondence to bypass email security gateways," said a senior threat analyst from the firm that discovered the intrusions. "In one wave, the malicious code was embedded directly in email attachments, while in another, links within PDFs led to hosted archives."

December 2025 Campaign (India)

Emails arrived with subject lines referencing tax audits, attached archives named ITD.-.rar containing a single executable disguised as a PDF. A second variant used GST.pdf with links to a Chinese-hosted domain (abc.haijing88.com) serving a malicious archive labeled CBDT.rar.

January 2026 Campaign (Russia)

Russian victims received a PDF with two clickable links directing them to download фнс.zip from the same infrastructure. Inside was the RustSL loader. The PDF's links were designed to evade detection—since the attachment itself appeared benign, it often reached inboxes.

Discovery of ABCDoor Backdoor

While investigating the January campaign, researchers noticed a new ValleyRAT plugin functioning as a loader for a previously unseen Python-based backdoor, which they named ABCDoor. Retrospective analysis shows ABCDoor has been part of Silver Fox's arsenal since at least late 2024 and active in real-world attacks from Q1 2025 to present.

"ABCDoor represents a shift in the group's toolkit—moving from commodity malware to a custom, Python-based backdoor that offers greater stealth," the analyst noted.

Background

Silver Fox is a cyber espionage group known for targeting government, industrial, consulting, retail, and transportation sectors. The RustSL loader they used is a modified version of a publicly available GitHub project. The phishing campaigns impacted organizations across multiple sectors, with over 1,600 emails recorded in a six-week period.

What This Means

The use of a custom backdoor like ABCDoor alongside the established ValleyRAT shows Silver Fox is investing in proprietary capabilities to evade detection. Organizations in Russia and India—especially those in tax, finance, and supply chain roles—should heighten scrutiny of email attachments and implement thorough email gateway inspection. The attackers' preference for PDF-hosted links is a known bypass technique that continues to work.

Immediate steps: Enable link scanning for PDFs embedded in emails; restrict execution of downloaded archives; and monitor for unusual Rust-based binaries or Python scripts executing in memory.

For more details, see our attack chain analysis or ABCDoor discovery section.

Tags: