10 Critical Insights into the Silver Fox Threat Group's ABCDoor Backdoor Campaigns

In late 2025 and early 2026, cybersecurity researchers uncovered a sophisticated phishing campaign targeting organizations in Russia and India. The attacks, attributed to the Silver Fox threat group, employed a novel backdoor dubbed ABCDoor alongside the well-known ValleyRAT. This article distills the key findings from the investigation into ten essential points, revealing how the attackers operated, their tools, and what it means for defenders.

1. Detection of Twin Campaigns in Late 2025 and Early 2026

In December 2025, security analysts observed a wave of malicious emails impersonating the Indian tax service. Just weeks later, in January 2026, a near-identical campaign began targeting Russian organizations. Both operations leveraged the authority of tax agencies to trick recipients into opening infected attachments or clicking malicious links. This coordinated, cross-border activity signals a well-resourced and strategically focused threat actor.

2. Attribution to the Silver Fox Threat Group

All evidence points to the Silver Fox group as the orchestrator of these campaigns. Known for their targeted cyberespionage operations, Silver Fox has a history of deploying advanced backdoors and evading detection. The consistency of infrastructure and techniques across the Indian and Russian campaigns solidifies this attribution, highlighting the group's adaptability and persistence.

3. Phishing Emails Disguised as Tax Authority Correspondence

Each email was carefully crafted to mimic official tax notices. For Indian targets, subjects referenced audits or tax violations, while Russian victims received similar messages in their native language. Attachments included PDFs claiming to contain a “list of tax violations” or archives labeled “ITD.-.rar” or “фнс.zip.” This social engineering leveraged the natural anxiety around tax compliance to maximize clicks.

4. Use of a Modified Rust-Based Loader from Public Repositories

The attackers employed a tweaked version of the Rust-based loader known as RustSL, whose source code is openly available on GitHub. This loader acted as the initial stage of the infection chain. Once executed on the victim's machine, it established communication with a command-and-control server and downloaded the next payload. Using a publicly available tool makes detection harder and attribution more complex.

5. Deployment of the ValleyRAT Backdoor

After the RustSL loader gained a foothold, it pulled down and executed ValleyRAT—a remote access trojan that gives attackers full control over the infected system. ValleyRAT enables keystroke logging, screen capture, file exfiltration, and further malware deployment. Over 1,600 malicious emails were recorded between early January and early February 2026, impacting industries from industrial manufacturing to retail and transportation.

6. Discovery of a New Python-Based Backdoor: ABCDoor

During the investigation, researchers uncovered a previously undocumented plugin delivered to victim devices. This plugin functioned as a loader for a Python-based backdoor, which the team named ABCDoor. This represents an evolution in Silver Fox's toolkit, as ABCDoor offered additional stealth and persistence capabilities beyond ValleyRAT alone.

7. Retrospective Analysis Reveals ABCDoor's Longevity

Further investigation showed that ABCDoor has been part of Silver Fox's arsenal since at least late 2024. Real-world attacks using this backdoor have been ongoing from the first quarter of 2025 to the present day. This indicates that the backdoor is not a one-off experimental tool but a mature component of the group's operations, likely tested and refined over time.

8. January 2026 Campaign: PDF Links to Malicious Archives

In the Russian campaign, victims received a PDF file containing two clickable links. Both led to a malicious website (abc.haijing88[.]com/uploads/фнс/фнс.zip). The archive contained the RustSL loader. By using links inside a PDF rather than directly attaching malware, the attackers bypassed many email security filters that would otherwise block executable attachments.

9. December 2025 Campaign: Embedded Malicious Code in Email Attachments

For Indian targets, the malicious code was embedded directly within files attached to the email. One email carried an archive named ITD.-.rar containing a single executable file, Click File.exe, disguised with an Adobe PDF icon. Another variant used a PDF called GST.pdf with links to a malicious archive hosted at abc.haijing88[.]com/uploads/印度邮箱/CBDT.rar. These direct-attachment approaches relied on the victim's curiosity and trust in tax communications.

10. Evasion Tactics Designed to Bypass Email Security Gateways

Both campaigns exploited the perceived urgency of tax matters. However, the use of PDFs containing links instead of direct malware attachments was a deliberate evasion technique. Security gateways must analyze attachments for malicious code; a PDF with a link does not contain executable content, so it often passes through unfiltered. Once the victim clicks the link, they download the archive, initiating the full infection chain. This method significantly increases the success rate of phishing attempts.

Conclusion

The Silver Fox group's campaigns against Russia and India demonstrate a calculated blend of social engineering, public-source tooling, and custom malware. The integration of ABCDoor alongside ValleyRAT marks a concerning evolution in their capabilities. For organizations in affected sectors, awareness of these tactics—especially the use of PDF-linked archives and tax-themed lures—is crucial. Defenders should deploy advanced email filtering, user training, and endpoint detection to mitigate threats from this persistent adversary.