Breaking: Silver Fox Threat Group Unleashes Novel Malware on Tax Authorities
December 2025 and January 2026 — Cybersecurity researchers have uncovered a sophisticated phishing campaign by the threat group Silver Fox, targeting organizations in Russia and India with a previously undocumented Python-based backdoor named ABCDoor.
The attacks, first detected in December 2025, used emails disguised as official tax service communications. A second wave hit Russian entities in January 2026, employing a nearly identical modus operandi. Over 1,600 malicious emails were recorded between early January and early February 2026.
“This marks a significant escalation in Silver Fox’s capabilities, introducing a modular backdoor that operates as a plugin for the well-known ValleyRAT malware,” said a senior analyst at the cybersecurity firm that tracked the campaign.
Attack Chain: From Phishing Email to Python Payload
Phishing Emails Mimicking Tax Authorities
The campaign relied on social engineering, with emails styled as official notices regarding tax audits or “lists of tax violations.” Victims were urged to download an archive containing a malicious file.
In the Indian campaign, emails purported to be from the Indian tax service and contained attachments named ITD.-.rar or links to CBDT.rar. Russian victims received PDFs with embedded download links to abc.haijing88[.]com/uploads/фнс/фнс.zip.
“The use of PDFs with links rather than direct malicious attachments is a deliberate tactic to bypass email security gateways,” noted a threat intelligence expert. “The link requires human interaction, increasing the chance of reaching the inbox.”
RustSL Loader and ValleyRAT
Inside the archives, the attackers deployed a modified version of the open-source RustSL loader (based on Rust code from GitHub). This loader executed the well-known ValleyRAT backdoor, granting initial footholds in targeted networks.
The malicious emails impacted diverse sectors including industrial, consulting, retail, and transportation organizations in both countries.
Discovery of the New Backdoor: ABCDoor
During investigation, researchers identified a previously unseen ValleyRAT plugin functioning as a loader for a Python-based backdoor. Dubbed ABCDoor, this new malware leverages Python scripts to establish persistent remote access and exfiltrate data.
Retrospective analysis reveals ABCDoor has been part of Silver Fox’s arsenal since late 2024 and actively used in attacks from Q1 2025 onward. “This is not a one-off tool; it is a mature component of their operations,” the analyst added.
Background: Silver Fox Group
Silver Fox is known for targeting government and private sector entities across Asia and Eastern Europe. Previous campaigns have focused on espionage and data theft, often using custom malware blended with off-the-shelf tools like ValleyRAT.
The group’s use of tax-themed lures reflects a pattern seen in other threat actors—exploiting the authority of tax agencies to bypass user suspicion.
What This Means for Organizations
The deployment of a Python-based backdoor as a ValleyRAT plugin signals an evolution in modular malware design. Python’s cross-platform capabilities make ABCDoor potentially adaptable to Linux and macOS environments.
“Organizations should update their phishing awareness training to highlight tax-themed lures, especially those containing PDFs with links,” advised a cybersecurity consultant. “Email gateways must also be configured to inspect link destinations in attachments.”
The campaign’s success underscores the need for defense in depth: robust endpoint detection, network segmentation, and rapid incident response. Indicators of compromise (IoCs) such as the malicious domain abc.haijing88[.]com should be blocked.
IOC and Technical Details
- Malicious domain: abc.haijing88[.]com
- Archive names: фнс.zip, ITD.-.rar, CBDT.rar
- Loader: Modified RustSL from public GitHub repository
- Backdoor: ValleyRAT with ABCDoor Python plugin
- Email platform used: SendGrid (for Indian campaign)
As investigations continue, researchers urge sharing of IoCs with relevant CERTs. Silver Fox remains active, and new variations of the campaign may emerge.