Introduction
In late 2025 and early 2026, the Silver Fox threat group orchestrated a sophisticated phishing campaign targeting organizations in Russia and India. By impersonating tax authorities and exploiting a publicly available Rust-based loader, they deployed the well-known ValleyRAT backdoor alongside a previously undocumented Python-based backdoor named ABCDoor. This guide breaks down each step of their attack chain, from initial email setup to final payload execution, providing a clear understanding of their methods.
What You Need
- Phishing email template – Designed to mimic official tax service correspondence (e.g., Indian Income Tax Department or Russian Federal Tax Service).
- Malicious PDF document – Contains clickable links to an archive hosted on a compromised or attacker-controlled server.
- RustSL loader source code – Available from a public GitHub repository; modified to download and execute ValleyRAT.
- ValleyRAT backdoor – A known remote access trojan used for initial foothold and plugin delivery.
- ABCDoor backdoor plugin – A Python-based backdoor that operates as a ValleyRAT plugin, enabling persistent access and data exfiltration.
- Malicious archive – Contains the RustSL loader (e.g.,
фнс.ziporITD.-.rar). - Hosting infrastructure – Web server to host the archive (e.g.,
abc.haijing88[.]com). - Cloud email delivery service – (Optional) Used to bypass spam filters (e.g., SendGrid for the India campaign).
Step-by-Step Attack Process
Step 1: Craft a Tax-Themed Phishing Email
Silver Fox designed emails that appear to be official notices from tax authorities. For the India campaign (December 2025), the email claimed to be from the Indian Income Tax Department and included an archive attachment. For the Russia campaign (January 2026), the email purported to be from the Russian Federal Tax Service and contained a PDF with download links. Both messages exploit the urgency and authority associated with tax matters to trick recipients into opening the attachment or clicking the links.
Step 2: Attach or Embed Malicious Content
Two delivery methods were used:
- Direct archive attachment (India campaign): The email carried a file named
ITD.-.rarcontaining a single executable disguised as a PDF (with an Adobe PDF icon). This executable is the RustSL loader. - PDF with download links (Russia campaign): The email attached a PDF that contained two clickable links leading to a malicious archive hosted on
abc.haijing88[.]com/uploads/фнс/фнс.zip. This method bypasses email gateways that scan attachments, as the malicious code is not directly embedded.
Step 3: Host the Malicious Archive on a Remote Server
The attackers used the domain haijing88[.]com to host the archives. For the India campaign, they also used a subdirectory named 印度邮箱 (Chinese for “Indian mailbox”) to store a similar archive (CBDT.rar). The archive contains the RustSL loader and any additional payloads.
Step 4: Deliver the RustSL Loader
When the victim opens the archive and runs the malicious file (e.g., Click File.exe or the extracted фнс.exe), the RustSL loader executes. This loader is a modified version of a publicly available Rust-based loader from GitHub. The modification ensures it connects to a command-and-control (C2) server to download the next stage.
Step 5: Download and Execute ValleyRAT
The RustSL loader contacts its C2 server and downloads the ValleyRAT backdoor. ValleyRAT is a known malware that provides remote access, keylogging, and screen capture capabilities. Once executed, it establishes persistence and opens a backdoor to the attacker.
Step 6: Deploy the ABCDoor Plugin
During this campaign, the attackers delivered a new ValleyRAT plugin that acts as a loader for a previously undocumented Python-based backdoor named ABCDoor. This plugin downloads and runs ABCDoor from the same or a secondary C2 server. ABCDoor is a lightweight backdoor written in Python, allowing the attackers to maintain long-term access and execute arbitrary commands.
Step 7: Maintain Persistence and Exfiltrate Data
Once ABCDoor is active, it can be used for data theft, lateral movement, or deploying additional payloads. The attackers have used ABCDoor since at least late 2024, refining it for real-world attacks through early 2026.
Tips for Defenders
- Train employees to recognize tax-themed phishing. Official tax authorities rarely send unsolicited emails with attachments or links to download tax documents. Verify via official channels.
- Inspect email headers for spoofing. Look for mismatches between display name and sender domain. In the India campaign, the email was sent via SendGrid, which can be impersonated.
- Block executables inside archives. Configure email gateways to quarantine archives containing executables, even if they are disguised with PDF icons.
- Monitor for connections to known malicious domains. The domain
haijing88[.]comand its subpaths should be blocked. Use threat intelligence feeds. - Use endpoint detection and response (EDR). Tools that can detect unusual Rust-based processes or Python scripts loading into memory may catch ABCDoor.
- Scan PDFs for external links. PDFs containing links to download archives should be treated as suspicious. Sandbox analysis can help.
By understanding these steps, organizations can better prepare for and defend against similar campaigns targeting tax authorities and critical infrastructure.