Silver Fox expands ABCDoor campaign to India and Russia via tax-themed phishing

China-linked threat group Silver Fox is running tax-themed phishing waves against organizations in India and Russia, delivering a previously undocumented Python backdoor called ABCDoor through the ValleyRAT (Winos 4.0) framework. Kaspersky tracked more than 1,600 malicious emails between early January and early February 2026, hitting industrial, consulting, retail, and transportation targets with archives disguised as Income Tax Department notices or lists of tax violations.

The infection chain leans on a customized build of RustSL, an open-source shellcode loader and AV-bypass framework. Silver Fox’s variant adds geofencing for India, Indonesia, South Africa, Russia, and Cambodia, plus VM and sandbox checks, before unpacking encrypted ValleyRAT. Some samples use a technique called Phantom Persistence, which hijacks the Windows shutdown-for-update flow to force the loader to run on the next boot. Once deployed, ABCDoor handles C2 over HTTPS and supports screenshots, remote input control, file operations, process management, and clipboard exfiltration.

The campaign signals Silver Fox’s shift to a dual-track model blending opportunistic cybercrime with espionage. Originally focused on China, the group has progressively expanded to Taiwan, Japan, and now South and Southeast Asia, tailoring spear-phishing lures to each region’s tax cycles and bureaucratic conventions. The use of off-the-shelf offensive tooling stitched together with bespoke modules and country-specific gating reflects a maturing operation that scales by adapting commodity components rather than building from scratch.