Bright Nexus

Published on May 4, 2026

Silver Fox Deploys ABCDoor Malware via Tax-Themed Phishing

Severity
Medium

Detail

The China-linked threat group Silver Fox has been observed targeting organizations in India and Russia using a new malware strain called ABCDoor. The campaign primarily relies on tax-themed phishing emails impersonating official communications, particularly from India’s Income Tax Department.

The attacks, which began in late 2025, impacted sectors such as industrial, consulting, retail, and transportation, with over 1,600 phishing emails detected within a short timeframe. The campaign uses a multi-stage infection chain involving loaders and backdoors, ultimately deploying ABCDoor as a key payload for long-term access and data theft.

How?

The attack begins with phishing emails disguised as tax audit notices or violation reports. These emails contain either attachments or links that direct victims to download compressed archives (ZIP/RAR files).

Inside the archive is an executable file disguised as a PDF document. This file is a modified version of an open-source Rust-based loader derived from RustSL. Once executed, the loader performs environment checks, including geofencing and sandbox detection, to ensure the target is valid.

The loader then decrypts and executes a payload that installs the ValleyRAT backdoor. ValleyRAT establishes command-and-control (C2) communication, executes commands, and downloads additional modules. One of these modules is ABCDoor, a Python-based backdoor designed for persistent access.

ABCDoor enables attackers to perform various malicious actions, including capturing screenshots, logging keystrokes, controlling mouse and keyboard input, managing files and processes, and exfiltrating sensitive data such as clipboard contents.

To maintain persistence, some variants use a technique known as Phantom Persistence, which manipulates system shutdown behavior to ensure the malware is executed again during system reboot. This helps the malware remain active even after system restarts.

Conclusion

The Silver Fox campaign demonstrates a highly targeted and evolving threat that combines social engineering with multi-stage malware delivery. By leveraging tax-themed phishing and advanced loaders, the attackers are able to bypass defenses and deploy powerful backdoors like ABCDoor.

The use of geofencing, sandbox evasion, and persistence mechanisms highlights the sophistication of the operation. Organizations should remain vigilant against phishing attempts, especially those themed around official or seasonal topics, and implement strong endpoint protection and monitoring to detect such multi-layered attacks early.

Source

https://thehackernews.com/2026/05/silver-fox-deploys-abcdoor-malware-via.html