New 'ABCDoor' Backdoor Unleashed: Silver Fox Targets Russian and Indian Taxpayers in Coordinated Phishing Blitz
Breaking: Silver Fox Deploys Novel Backdoor 'ABCDoor' in Dual Campaigns
Security researchers have uncovered a sophisticated phishing operation targeting organizations in Russia and India, leveraging a previously undocumented backdoor named 'ABCDoor'. The campaigns, attributed to the threat group Silver Fox, began in December 2025 and continued into early 2026, impacting hundreds of entities across multiple sectors.
Campaign Details: Tax-Themed Phishing Lures
In December 2025, the first wave of emails impersonated India's tax service, urging recipients to download archives containing 'tax violation lists'. A second wave in January 2026 targeted Russian organizations with similar tax audit notifications. Over 1,600 malicious emails were recorded between early January and early February 2026.
“These attacks are classic spear-phishing, exploiting the urgency and authority of tax correspondence,” said Dr. Elena Volkov, a cybersecurity analyst at ThreatForge. “The use of PDF links is a deliberate tactic to bypass email gateways.”
Technical Breakdown: Rust-Based Loader and ValleyRAT
The attack chain starts with a modified Rust-based loader, RustSL, sourced from a public GitHub repository. Once executed, the loader downloads and deploys the well-known ValleyRAT backdoor. However, investigators also discovered a new ValleyRAT plugin functioning as a loader for ABCDoor, a Python-based backdoor previously undocumented.
“ABCDoor has been part of Silver Fox's arsenal since late 2024, but this is its first widespread deployment,” noted security researcher Raj Patel of CyberDefense Labs. “The backdoor is highly modular and allows persistent access.”
Background: Silver Fox's Evolving Tactics
Silver Fox, a China-aligned threat group, has historically targeted government and industrial entities. Their recent shift to tax-themed lures marks an evolution in social engineering, according to researchers. The group previously relied on ValleyRAT, but ABCDoor represents a significant upgrade in stealth and flexibility.
The campaigns hit organizations in industrial, consulting, retail, and transportation sectors—critical infrastructure that suggests espionage or financial motivations.
What This Means: Urgent Call for Defenses
Organizations in Russia and India must immediately review email security policies and raise awareness about tax-themed phishing. The use of legitimate services like SendGrid for email delivery underscores the need for advanced threat detection.
“Any organization receiving unsolicited tax compliance emails should treat them as suspicious,” Patel added. “The integration of ABCDoor with ValleyRAT creates a potent combination for data theft and lateral movement.”
Security teams are advised to monitor network traffic for unusual outbound connections and deploy endpoint detection rules for RustSL and ABCDoor indicators.
Phishing Email Analysis: How the Attacks Unfold
In the Russian campaign, victims received a PDF with links to download a ZIP file from a malicious domain. The Indian wave used attachments with embedded executables disguised as PDFs. Both methods exploit trust in tax authorities.
The attackers also used a multilingual domain structure, with Chinese-language directories hinting at the group's origins. The domain abc.haijing88[.]com was central to both waves.
Protection Measures and Further Guidance
Organizations should enable multi-factor authentication, restrict execution of downloaded files, and conduct tabletop exercises for phishing response. The security community shares detailed indicators of compromise (IoCs) for ABCDoor and RustSL in private and public threat feeds.
For continuous updates, monitor the ThreatForge blog and see our background section for extended analysis of Silver Fox's timeline.