A Chinese cybercrime group is pretending to be tax authorities in two different countries. Their goal? Deliver malware that steals data, controls systems, and spies on victims.
The Silver Fox ABCDoor malware campaign has been targeting organizations in Russia and India with phishing emails disguised as official tax notices. Security researchers at Kaspersky uncovered the operation, which uses a new Python-based backdoor called ABCDoor alongside the well-known ValleyRAT malware.
Between early January and early February 2026, researchers flagged more than 1,600 phishing emails. The Silver Fox ABCDoor malware campaign has impacted organizations across industrial, consulting, retail, and transportation sectors.
The Phishing Lures
The Silver Fox ABCDoor malware campaign uses remarkably convincing phishing emails. Each wave is tailored to the target country.
In December of 2025, the group that posted this malware targeted institutions and companies in India. The emails used in this attack were designed to resemble emails sent from the Indian Income Tax Department. These emails were designed to look like legitimate notices about tax audits.
A separate wave targeted Russian entities. The Silver Fox ABCDoor malware campaign used similar language but adapted to Russian tax authorities. Both waves prompted users to download an archive containing a "list of tax violations."
The phishing emails contain a PDF file with two clickable links. Those links lead to a ZIP or RAR archive hosted on abc.haijing88[.]com. In the Indian campaign detected in December 2025, the Silver Fox ABCDoor malware campaign embedded malicious code directly within email attachments rather than hosting it remotely.
The RustSL Loader
Inside the archive is an executable disguised as a PDF file. That binary is a modified version of an open-source shellcode loader called RustSL.
The Silver Fox ABCDoor malware campaign uses RustSL as a first-stage loader. RustSL is originally an antivirus bypass framework. Silver Fox modified it significantly.
The customized RustSL loader has several sophisticated features:
1. Country-based geofencing. The GitHub version of RustSL only includes China in its country list. The Silver Fox ABCDoor malware campaign version features India, Indonesia, South Africa, Russia, and Cambodia. The loader checks the victim's location before proceeding.
2. Virtual machine and sandbox detection. The Silver Fox ABCDoor malware campaign loader actively checks for analysis environments. If it detects a VM or sandbox, it stops execution.
3. Encrypted payload unpacking. The loader decrypts and unpacks the malicious payload only if the environment checks pass.
Silver Fox's first recorded use of RustSL dates back to late December 2025. More recent versions have broadened their geographic scope to also include Japan.
Phantom Persistence : One Clever Trick
One variant of Silver Fox's ABCDoor loader malware campaign uses a "novel" method of maintaining persistence known as "Phantom Persistence," which was first documented back in June 2025.
Here is how it works. Windows has a feature that allows applications requiring a reboot for updates to complete installation properly. The Silver Fox ABCDoor malware campaign abuses this functionality.
Kaspersky explained: "The attackers intercept the system shutdown signal, halt the normal shutdown sequence, and trigger a reboot under the guise of an update for the malware. Consequently, the loader forces the system to execute it upon OS startup."
The Silver Fox ABCDoor malware campaign effectively tricks Windows into treating the malware like a legitimate pending update. When the user shuts down or restarts, the malware executes instead of—or alongside—real system processes.
ValleyRAT: The Well-Known Backdoor
Once the RustSL loader completes its checks, it downloads and executes ValleyRAT, also known as Winos 4.0.
The Silver Fox group utilizes ValleyRAT, which has been a long-standing backdoor for their operations. ValleyRAT is delivered by the Silver Fox ABCDoor malware campaign as an encrypted payload.
The primary component of ValleyRAT is the login-module.dll_bin file, which is responsible for handling:
1. Command-and-control (C2) communications
2. Command execution
3. Retrieval and execution of additional modules
ValleyRAT alone is dangerous. But the Silver Fox ABCDoor malware campaign takes it further by deploying custom plugins.
ABCDoor: The New Python Backdoor
The star of the Silver Fox ABCDoor malware campaign is a previously undocumented Python-based backdoor called ABCDoor. Kaspersky researchers found that ABCDoor has been part of Silver Fox's arsenal since at least December 19, 2024.
The Silver Fox ABCDoor malware campaign uses ABCDoor as a ValleyRAT plugin. After passing a second geofencing check, the backdoor activates. The ABCDoor malware employs communications over HTTPS with remote servers to handle incoming requests to perform many types of malicious activity:
1. Persistent management. The Silver Fox ABCDoor malware campaign back door can install new copies of itself for long-term access or delete itself in order to cover its tracks.
2. Backdoor updating and removing. ABCDoor can upgrade its code or uninstall itself completely at the direction of C2 commands.
3. Screen snapshots. The Silver Fox ABCDoor malware campaign will take snapshots of the infected computer's monitor(s), resulting in the theft of visual data.
4. Remote input control. The ABCDoor malware campaign enables remote control of the mouse and keyboard on the infected computer, allowing the attacker to interact with the infected computer directly.
5. File system operations. The Silver Fox ABCDoor malware campaign backdoor can browse, upload, download, delete, and modify files.
6. Process management. ABCDoor can start, stop, or manipulate running processes.
7. Clipboard exfiltration. The Silver Fox ABCDoor malware campaign steals anything the victim copies to their clipboard: passwords, financial data, sensitive text.
8. The Silver Fox ABCDoor malware campaign backdoor is written in Python, making it cross-platform capable and relatively easy for the attackers to modify.
Dual-Track Operational Model
Security researchers at S2W have tracked Silver Fox's evolution. The group operates on a dual-track model.
Track one: Profit-driven opportunistic attacks. The Silver Fox commits cybercrimes by conducting extensive phishing schemes to obtain money or financial gain from victims. The Silver Fox ABCDoor malware will match track one when it steals victim's credentials or uses the victims credentials to commit fraud.
Track two: Spying Activity. The Silver Fox ABCDoor malware can also assist with espionage or spying. In espionage mode, attackers focus on long-term access, data theft, and monitoring rather than immediate financial extraction.
The Silver Fox ABCDoor malware campaign represents a geographic expansion. India, Russia, Indonesia, South Africa, and Japan are now within the group's target scope.
Geographic Targeting
The Silver Fox ABCDoor malware campaign affected the following countries the most:
1. India - Has had the most attacks, mainly motivated by tax themes.
2. Russia - Has the second most attacks and is mostly targeted by phishing emails that impersonate a tax authority.
3. Indonesia - Has also had significant activity from this campaign.
4. South Africa - Is on the list of countries for geo-fencing purposes.
5. Japan - Is a recent addition to the campaign, with the release of a new version of the RustSL malware.
The Silver Fox ABCDoor malware campaign uses a variety of lures, (i.e. bait), tailored to each of the targeted countries. For example, the content of the phishing emails is influenced by the timing of tax season, as well as the deadlines for filing taxes and (possibly) regulatory issues that are local to that country.
Evolution of Campaign
Since it first started in December 2024, the Silver Fox ABCDoor malware campaign has evolved considerably.
December 2024: ABCDoor was introduced as one of Silver Fox's malware arsenal and a backdoor was developed and tested using the Python programming language.
December 2025: the Silver Fox ABCDoor malware campaign sent tax-themed phishing emails specifically targeting Indian organizations. Additionally, the phishing emails contained embedded malicious codes within the email attachments.
Early 2025: ABCDoor is deployed in active cyber attacks beginning February or March 2025.
Late 2025: A second wave targets Russian entities. The Silver Fox ABCDoor malware campaign uses hosted archives on abc.haijing88[.]com.
November 2025: Silver Fox uses a JavaScript loader to deliver ABCDoor via self-extracting archives.
January-February 2026: More than 1,600 phishing emails flagged. The Silver Fox ABCDoor malware campaign reaches peak observed activity.
As of 2026: Newer RustSL versions expand geographic focus to include Japan. Geofencing now covers multiple Asian and Eurasian countries.
Why This Campaign Is Dangerous
The Silver Fox ABCDoor malware campaign has several characteristics that make it particularly threatening.
1. Personalized Lures. The group researches nearby tax authorities; these attempts will produce believable impersonation attempts. The emails used within the Silver Fox ABCDoor malware campaign are not generic spam, either.
2. Multi-Stage Evasion. The Silver Fox ABCDoor malware campaign utilizes geographic fencing, sandbox detection, and encrypted payloads to evade detection by automated analysis.
3. Phantom Persistence. Traditional persistence mechanisms modify registry keys or scheduled tasks, while the Silver Fox ABCDoor malware campaign uses the technique reboot-abuse technique and is less likely to be monitored.
4. Modular backdoor. ABCDoor can be updated, removed, or extended with new capabilities. The Silver Fox ABCDoor malware campaign operators can adapt quickly.
5. Dual-track monetization. The same infrastructure supports both financial fraud and espionage. The Silver Fox ABCDoor malware campaign serves multiple criminal objectives simultaneously.
How to Protect Your Organization
The Silver Fox ABCDoor malware campaign is active now. Here is what you should do.
1. Train users to identify phishing scams around tax issues. The Silver Fox ABCDoor malware campaign relies on people believing they are getting a legitimate tax notice from the tax authority. Users should verify whether they received any notice from the tax authority through official channels, and not by clicking on links from e-mail that appears to come from the tax authority.
2. Pre-emptively block any known sites used for downloading files. The Silver Fox ABCDoor malware campaign utilizes abc.haijing88[.]com or any domain with its use of the additional capabilities of Phantom Persistence to carry out these attacks. These should be prevented at the perimeter of the network.
3. Investigate any applications that shut down in a manner that could be construed as habitual or unexpected. The Silver Fox ABCDoor malware campaign has capabilities that include the use of Phantom Persistence, which means any workstation that has a reboot or files that have been altered in an unexpected way should be investigated.
4. Implement (or add on to existing) EDR (endpoint detection & response). The Silver Fox ABCDoor malware campaign leaves behavioral indicators. EDR can detect geofencing checks, VM detection attempts, and abnormal Python process activity.
5. Restrict Python execution. The Silver Fox ABCDoor malware campaign delivers a Python backdoor. If your organization does not use Python, block Python interpreters from running. If you do use Python, monitor for unsigned or unexpected Python scripts.
6. Enable PowerShell logging. The Silver Fox ABCDoor malware campaign may use PowerShell for execution. Enable full logging to gather evidence of rogue commands.
Conclusion
The ABCDoor malware operation of "Silver Fox" shows the great level of sophistication of Chinese Cybercrime Organizations. They perform their own research into local tax systems and build their own custom loaders with geofences for placement. Additionally, they use two backdoors simultaneously; one being a well known, and the other one being a new and unknown backdoor.
The Silver Fox ABCDoor malware campaign is not opportunistic spam. It is targeted, patient, and adaptive. The group watches for tax seasons and regulatory changes. They modify their lures accordingly.
For organizations in India, Russia, Indonesia, South Africa, and Japan, the Silver Fox ABCDoor malware campaign is an active threat. Check your email filters. Train your users. And assume that tax notice might not be from the tax office.
FAQ Section
Q1. What is the Silver Fox ABCDoor malware campaign?
The Silver Fox ABCDoor malware campaign is a Chinese cybercrime operation targeting organizations in India, Russia, Indonesia, South Africa, and Japan. Attackers send tax-themed phishing emails that deliver the ValleyRAT backdoor and a new Python backdoor called ABCDoor.
Q2. How does the Silver Fox ABCDoor malware initiate an infection of its victim?
The Silver Fox ABCDoor malware targets victims via a spoof email from tax authorities. This email contains a .pdf with links to a .zip file, within which there is a RustSL loader disguised as a .pdf file. The RustSL loader checks the geographical location of the victim, checks if the victim's computer is running inside a sandbox, and then downloads two malware variants: ValleyRAT and ABC Door.
Q3. What is Phantom Persistence in the Silver Fox ABCDoor malware?
Phantom Persistence leverages reboot functionality up restart modules. The Silver Fox ABCDoor malware targets the Operating System Shutdown signal. When a user tries to shut down their system, the malware stops the system from shutting down normally and instead initiates an operating system reboot while feigning to be applying Windows updates. After the operating system reboot, the Silver Fox ABCDoor malware will execute when the machine is rebooted.
Q4. What countries have been what targeted by the Silver Fox ABCDoor malware?
The countries targeted by this campaign in order of highest volume of activity are: India, Russia, Indonesia, South Africa, and Japan. The Silver Fox ABCDoor malware uses geofencing to verify the geographic location of victims prior to delivery of payloads.
Q5. Is ABCDoor a new family of malware?
Yes, ABCDoor is a new family of previously unreported backdoors that are developed using Python. The Silver Fox ABCDoor malware has been in use since at least December 19, 2021, and provides persistence, remote control, file operations, clipboard access, and screenshots.
