Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Ghostcommit Attack Hides Malicious Prompts in Images to Exploit AI Agents
July 11, 2026
AI-powered Forg365 Phishing Platform Targets Microsoft 365 Accounts
July 11, 2026
Dell BIOS Critical Flaw Exposes Admin Passwords From SPI Flash
July 11, 2026
Home/Threats/SilverFox Uses Fake Tax Notices to Deploy ValleyRAT and ABCDoor Backdoor
Threats

SilverFox Uses Fake Tax Notices to Deploy ValleyRAT and ABCDoor Backdoor

Key Takeaways The Chinese-linked threat group Silver Fox is employing sophisticated phishing tactics, using fake tax notices to target organizations across multiple countries. The campaign deploys...

Jennifer sherman
Jennifer sherman
May 5, 2026 5 Min Read
54 0

Key Takeaways

  • The Chinese-linked threat group Silver Fox is employing sophisticated phishing tactics, using fake tax notices to target organizations across multiple countries.
  • The campaign deploys both the established ValleyRAT backdoor and a newly identified Python-based implant, ABCDoor, which has been part of Silver Fox’s arsenal since at least late 2024.
  • Attackers leverage social engineering and a multi-stage infection chain, including a modified Rust-based loader with geofencing capabilities, to evade detection and establish persistent control.
  • Victims span industrial, consulting, retail, and transportation sectors, with over 1,600 malicious emails detected in just one month targeting Russia alone.
  • Organizations must prioritize employee training, enhance email security, and implement robust endpoint monitoring to counter these evolving threats.

A Chinese-linked cyberespionage group, identified as Silver Fox, is actively engaged in a cunning phishing operation. This campaign targets employees across various countries, tricking them into opening what appear to be official tax authority communications.

Table Of Content

  • Key Takeaways
  • Campaign Timeline and Targets
  • How the Infection Chain Works: From Fake PDF to Full System Takeover
  • What You Should Do

These deceptive emails, masquerading as legitimate governmental notices, initiate a malware chain that ultimately installs the well-known ValleyRAT backdoor and a previously undiscovered Python-based implant named ABCDoor. Researchers have detailed the intricate infection process in a comprehensive report.

Campaign Timeline and Targets

The campaign first surfaced in December 2025, with a flurry of phishing emails impersonating the Indian tax service. Weeks later, in January 2026, Silver Fox launched an almost identical operation, this time focusing on organizations within Russia.

Both waves of attacks utilized emails designed as tax audit notices or warnings about alleged tax violations. These messages urged recipients to download an archive file purportedly containing a “list of tax violations.” The targets included entities in the industrial, consulting, retail, and transportation sectors. Between early January and early February 2026 alone, over 1,600 malicious emails were recorded in the Russian phase of the operation.

Analysts at Securelist identified and attributed this activity to the Silver Fox threat group. Their investigation revealed that, in addition to deploying ValleyRAT, the attackers were also delivering a new, undocumented backdoor via a custom ValleyRAT plugin. This new backdoor was christened ABCDoor by the researchers due to the consistent “abc” third-level domain pattern observed in its command-and-control (C2) addresses.

Retrospective analysis has confirmed that ABCDoor has been part of Silver Fox’s operational toolkit since at least late 2024 and was actively used in real-world attacks as early as the first quarter of 2025.

The danger of this campaign lies not only in the sophisticated malware payload but also in the meticulous social engineering involved. Tax notices inherently carry a sense of urgency and authority, often prompting employees to act without sufficient scrutiny. To bypass email security measures, the phishing emails’ PDF attachments contained download links rather than embedding malicious code directly, a tactic designed to circumvent scanners looking for direct malware attachments.

How the Infection Chain Works: From Fake PDF to Full System Takeover

Upon clicking the download link embedded in the phishing PDF, victims retrieve a compressed archive containing a modified Rust-based loader known as RustSL.

Attack chain (Source - Securelist)
Attack chain (Source – Securelist)

Silver Fox adapted this loader’s source code from a publicly available GitHub repository, implementing significant modifications. The customized version, now referred to as Silver Fox RustSL, incorporates a new module, steganography.rs, responsible for payload unpacking. It also features a guard.rs module that conducts environment checks and country-based geofencing, ensuring the malware executes only on systems located in targeted nations, including India, Russia, Indonesia, South Africa, Cambodia, and more recently, Japan.

Screenshot of the Description from the RustSL Loader GitHub Project (Source - Securelist)
Screenshot of the Description from the RustSL Loader GitHub Project (Source – Securelist)

The loader itself is disguised with a PDF or Excel file icon to avoid suspicion. When executed, RustSL loads an encrypted payload that functions as shellcode. This shellcode then proceeds to download an encrypted ValleyRAT module, termed the “Online module,” from the attackers’ server.

The Online module subsequently loads the core ValleyRAT component, the “Login module.” This component manages C2 communication, executes commands, and facilitates the download of further payloads. Among these additional payloads is a custom ValleyRAT plugin named 保86.dll, which serves as a downloader for ABCDoor.

Contents of the 111.zip Archive (Source - Securelist)
Contents of the 111.zip Archive (Source – Securelist)

ABCDoor is a Python-based backdoor compiled using Cython 3.0.7, a technique that helps obfuscate its underlying source code. It is extracted alongside a bundled Python environment and a copy of ffmpeg.exe, a legitimate audio and video processing tool that the malware re-purposes for screen capture and broadcasting.

Once active, ABCDoor establishes persistence through two primary methods: by writing an entry to the Windows registry Run key and by creating a scheduled task named “AppClient” that re-executes it every minute. To evade detection and mislead analysts, it disguises its installation path under C:ProgramDataTailscale, mimicking the legitimate Tailscale VPN utility.

Silver Fox RustSL also incorporates a technique called Phantom Persistence. This method intercepts system shutdown signals, aborts the shutdown sequence, and triggers a reboot that re-executes the loader, ensuring the malware’s survival across system restarts. Operating within a legitimate pythonw.exe process, ABCDoor can remain hidden for extended periods, silently collecting screen data, exfiltrating clipboard contents, managing files, and emulating mouse and keyboard input on the compromised machine.

What You Should Do

  • Employee Training: Conduct regular security awareness training to educate employees on verifying the legitimacy of emails, especially those purporting to be from tax authorities, before clicking links or downloading attachments.
  • Email Security Enhancements: Configure email security solutions to specifically flag and thoroughly analyze PDF files or other documents containing external download links, not just direct malicious attachments. Implement robust anti-phishing filters.
  • Endpoint Detection and Response (EDR): Utilize EDR solutions to monitor for unusual registry modifications, the creation of suspicious scheduled tasks (e.g., “AppClient”), and the creation of unexpected directories (e.g., C:ProgramDataTailscale).
  • Network Monitoring: Monitor outbound network connections for traffic to third-level “abc” subdomains, which are indicative of ABCDoor C2 communication.
  • Process Monitoring: Watch for persistent pythonw.exe processes running without clear justification and any unexplained activity from ffmpeg.exe on endpoints, as these could signal an ABCDoor infection.
  • Principle of Least Privilege: Implement the principle of least privilege for all users to minimize the impact of a successful compromise.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackMalwarephishingSecurityThreat

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

Cerberus Stalkerware Abuses Android Accessibility, Firebase for Remote Control

Next Post

ScarCruft Supply Chain Attack Backdoors Windows and Android Gaming Platform

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Top 10 Unified Threat Management Solutions for 2026
July 11, 2026
Critical OpenClaw Vulnerability Lets Attackers Hijack WhatsApp Via One Message
July 11, 2026
Progress Urges ShareFile Server Shutdown Over Critical Vulnerability
July 11, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us