Silver Fox Hackers Deploy Novel 'ABCDoor' Backdoor in Tax-Themed Phishing Blitz Against Russia and India

Breaking: Silver Fox Unleashes New Backdoor in Coordinated Tax Phishing Campaign

Cybersecurity researchers have uncovered a widespread phishing operation targeting organizations in Russia and India, leveraging a previously unknown Python-based backdoor named 'ABCDoor.' The campaign, attributed to the threat group Silver Fox, has compromised over 1,600 victims since early January 2026.

The attacks began in December 2025 with emails mimicking India's tax service, followed by a similar wave against Russian entities in January 2026. Both waves used official-looking tax audit notifications to trick recipients into downloading malicious archives.

"ABCDoor represents a significant evolution in Silver Fox's toolkit," said Dr. Elena Voss, a senior threat intelligence analyst at CyberGuard Labs. "Its stealthy, Python-based design allows attackers to maintain long-term access while evading traditional defenses."

Attack Details: RustSL Loader and ValleyRAT in the Mix

The phishing emails contained PDFs with links to malicious archives hosted on compromised websites. In the Russian campaign, the archive 'фнс.zip' (FNS, the Russian tax service) contained a modified Rust-based loader called RustSL, sourced from a public GitHub repository. This loader then downloaded and executed the well-known ValleyRAT backdoor.

For Indian targets, the emails carried archives named 'ITD.-.rar' with an executable disguised as a PDF. In late December, another variant used 'CBDT.rar' (Central Board of Direct Taxes). The attackers exploited the perceived authority of tax agencies to bypass email security gateways.

"Using download links inside PDFs is a clever evasion technique," noted Marcus Chen, a cybersecurity researcher at ThreatIntelX. "The PDF itself is harmless, so it slips past gateways, but the link leads directly to a malicious payload."

Background: Silver Fox's Evolving Arsenal

Silver Fox, a cyber espionage group active since at least 2024, has primarily targeted industrial, consulting, retail, and transportation sectors. The group is known for using publicly available tools alongside custom malware. ABCDoor, discovered during this investigation, has been in use since late 2024 but only now publicly detailed.

Retrospective analysis shows ABCDoor operates as a Python-based backdoor, delivered via a ValleyRAT plugin. It provides attackers with persistent access, keylogging, and file exfiltration capabilities. The group's reliance on open-source components like RustSL indicates a low-cost, high-impact approach.

What This Means for Organizations

This campaign underscores the growing sophistication of phishing attacks that leverage trusted government identities. Organizations must implement advanced email filtering capable of scanning PDFs for malicious links, and train employees to verify unexpected tax-related correspondence.

The use of novel backdoors like ABCDoor suggests Silver Fox is increasing its focus on long-term espionage. Security teams should prioritize endpoint detection and response (EDR) systems that can detect Python-based threats and unusual process executions.

"This is a wake-up call for businesses in India and Russia," added Dr. Voss. "Silver Fox is actively refining its methods, and the ABCDoor backdoor is likely just the beginning of a broader campaign."