Silver Fox phishes tax lures to deliver ABCDoor in India, Russia

Security researchers found that a China-linked cybercrime group known as Silver Fox ran tax-themed phishing campaigns in December 2025 that targeted organizations in India and Russia. The emails impersonated India’s tax authority and led victims to download archives that began the infection chain.

The attack started with a PDF attached to phishing emails. The PDF contained two links to download ZIP or RAR archives hosted on abc.haijing88[.]com. Each archive included an executable that mimicked a PDF and a modified Rust-based loader. The loader unpacked an encrypted payload and triggered the download of an encrypted ValleyRAT component.

Analysis shows the Rust-based loader was adapted from an open-source project and altered to include country checks and environment detection. The custom loader checked the host country, looked for virtual machine and sandbox environments, and then unpacked and executed the payload only when checks passed. The modified country list included India, Indonesia, South Africa, Russia and Cambodia; later public versions added Japan.

ValleyRAT’s core component, tracked as login-module.dll_bin, handled command-and-control communications, executed commands and fetched additional modules. One module deployed in these campaigns is ABCDoor, a Python backdoor that researchers found in the actor’s toolkit as early as December 19, 2024 and first used in attacks in February or March 2025.

ABCDoor communicates with external servers over HTTPS. Its capabilities include updating or removing itself, maintaining persistence, capturing screenshots, controlling the mouse and keyboard, performing file-system operations, managing processes and exfiltrating clipboard contents.

Some loader variants used a persistence method researchers call Phantom Persistence. The technique intercepts the system shutdown signal, halts the normal shutdown sequence, and then forces a reboot while presenting the action as an update, allowing the loader to execute on startup. Phantom Persistence was first documented in June 2025.

Between early January and early February, more than 1,600 phishing emails tied to these campaigns were flagged. Affected organizations span the industrial, consulting, retail and transportation sectors. The highest number of detections occurred in India, followed by Russia and Indonesia, with additional activity observed in South Africa and Japan.

Researchers noted other delivery approaches were used as well. A JavaScript loader was observed in November 2025, packaged inside self-extracting archives that were compressed into ZIP files and likely sent via phishing messages.

A security firm tracking the group described an operational shift since 2024 toward two parallel tracks: broad opportunistic activity for profit and targeted espionage operations. The group initially focused on targets in China and later expanded operations to Taiwan, Japan and other countries while refining phishing lures for seasonal and local issues.

Researchers recommend treating unsolicited tax-audit notices with caution, verifying sender legitimacy, and scanning attachments and downloaded archives in isolated environments before opening.