Full Report
The China-based cybercrime group known as Silver Fox has been linked to a new campaign targeting organizations in Russia and India with a new malware called ABCDoor. The activity involved using phishing emails that mimic correspondence from the Income Tax Department of India in December 2025, followed by a similar campaign aimed at Russian entities. "Both waves followed a nearly identical
Analysis Summary
# Threat Actor: Silver Fox
## Attribution & Identity
* **Origin:** China-based.
* **Actor Type:** Cybercrime group.
* **Identity:** Known as "Silver Fox." No other major aliases (e.g., APT numbers) are specified in the provided text.
## Activity Summary
* **Tax-Themed Phishing (Dec 2025 – Early 2026):** Distributed malicious archives mimicking the Income Tax Department of India and Russian tax authorities.
* **Infrastructure Expansion:** Operates campaigns that distribute various backdoors including ValleyRAT and the undocumented ABCDoor.
* **Timeline:** Activity using ABCDoor dates back to at least December 2024, with active campaigns observed in early 2025 and late 2025.
## Tactics, Techniques & Procedures
* **Phishing:** Uses tax audit lures and official-style notices to deliver malicious ZIP/RAR archives or PDFs with clickable links.
* **Loader Mechanics:** Utilizes a modified version of **RustSL**, an open-source shellcode loader.
* **Geofencing:** Implements country-based checks to ensure execution only on targets in India, Indonesia, South Africa, Russia, and Cambodia.
* **Evasion:** Employs environment checks to detect virtual machines and sandboxes.
* **Persistence (Phantom Persistence):** Intercepts system shutdown signals to trigger a reboot under the guise of an update, forcing malware execution upon startup.
* **JavaScript Distribution:** Use of JS loaders within self-extracting (SFX) archives to deliver final payloads.
## Targeting
* **Sectors:** Industrial, Consulting, Retail, and Transportation.
* **Geography:** Primarily India, Russia, and Indonesia. Secondary targets include South Africa, Japan, Cambodia, and Vietnam.
* **Victims:** Over 1,600 identified phishing emails targeting organizations within the specified sectors.
## Tools & Infrastructure
* **Malware:**
* **ABCDoor:** A previously undocumented Python-based backdoor capable of C2 communication, screen capture, remote mouse/keyboard control, and file exfiltration.
* **ValleyRAT (aka Winos 4.0):** A multi-modular backdoor used for remote command execution.
* **RustSL:** An open-source Rust-based shellcode loader modified for custom defense bypass.
* **Infrastructure:**
* **C2/Download Domain:** abc.haijing88[.]com
* **Payload Components:** login-module.dll_bin (ValleyRAT core)
## Implications
Silver Fox demonstrates a sophisticated bridge between traditional cybercrime and advanced persistence. Their adoption of open-source frameworks (RustSL), novel persistence techniques (Phantom Persistence), and rigorous geofencing suggests a highly organized operation. The focus on critical sectors like industrial and transportation in specific geopolitical regions suggests their activity may have implications beyond simple financial theft, potentially involving corporate espionage or regional disruption.
## Mitigations
* **Email Filtering:** Implement strict filtering for tax-themed keywords and block archives (ZIP/RAR) containing executable files or SFX archives.
* **Execution Prevention:** Monitor and block the execution of unauthorized Rust-based binaries and Python scripts in end-user environments.
* **Persistence Monitoring:** Audit system shutdown and reboot triggers; monitor for unusual services mimicking "Updates" that trigger during the shutdown sequence (Phantom Persistence).
* **Geoblocking:** If the organization does not operate in the regions specified in the loader's country list, block communication to high-risk domains associated with the campaign.
* **User Training:** Train employees to verify official tax correspondence through official portals rather than clicking links in unsolicited emails.