SilverFox Uses Fake Tax Notices to Deploy ValleyRAT and ABCDoor Backdoor
Key Takeaways The Chinese-linked threat group Silver Fox is employing sophisticated phishing tactics, using fake tax notices to target organizations across multiple countries. The campaign deploys...
Key Takeaways
- The Chinese-linked threat group Silver Fox is employing sophisticated phishing tactics, using fake tax notices to target organizations across multiple countries.
- The campaign deploys both the established ValleyRAT backdoor and a newly identified Python-based implant, ABCDoor, which has been part of Silver Fox’s arsenal since at least late 2024.
- Attackers leverage social engineering and a multi-stage infection chain, including a modified Rust-based loader with geofencing capabilities, to evade detection and establish persistent control.
- Victims span industrial, consulting, retail, and transportation sectors, with over 1,600 malicious emails detected in just one month targeting Russia alone.
- Organizations must prioritize employee training, enhance email security, and implement robust endpoint monitoring to counter these evolving threats.
A Chinese-linked cyberespionage group, identified as Silver Fox, is actively engaged in a cunning phishing operation. This campaign targets employees across various countries, tricking them into opening what appear to be official tax authority communications.
Table Of Content
These deceptive emails, masquerading as legitimate governmental notices, initiate a malware chain that ultimately installs the well-known ValleyRAT backdoor and a previously undiscovered Python-based implant named ABCDoor. Researchers have detailed the intricate infection process in a comprehensive report.
Campaign Timeline and Targets
The campaign first surfaced in December 2025, with a flurry of phishing emails impersonating the Indian tax service. Weeks later, in January 2026, Silver Fox launched an almost identical operation, this time focusing on organizations within Russia.
Both waves of attacks utilized emails designed as tax audit notices or warnings about alleged tax violations. These messages urged recipients to download an archive file purportedly containing a “list of tax violations.” The targets included entities in the industrial, consulting, retail, and transportation sectors. Between early January and early February 2026 alone, over 1,600 malicious emails were recorded in the Russian phase of the operation.
Analysts at Securelist identified and attributed this activity to the Silver Fox threat group. Their investigation revealed that, in addition to deploying ValleyRAT, the attackers were also delivering a new, undocumented backdoor via a custom ValleyRAT plugin. This new backdoor was christened ABCDoor by the researchers due to the consistent “abc” third-level domain pattern observed in its command-and-control (C2) addresses.
Retrospective analysis has confirmed that ABCDoor has been part of Silver Fox’s operational toolkit since at least late 2024 and was actively used in real-world attacks as early as the first quarter of 2025.
The danger of this campaign lies not only in the sophisticated malware payload but also in the meticulous social engineering involved. Tax notices inherently carry a sense of urgency and authority, often prompting employees to act without sufficient scrutiny. To bypass email security measures, the phishing emails’ PDF attachments contained download links rather than embedding malicious code directly, a tactic designed to circumvent scanners looking for direct malware attachments.
How the Infection Chain Works: From Fake PDF to Full System Takeover
Upon clicking the download link embedded in the phishing PDF, victims retrieve a compressed archive containing a modified Rust-based loader known as RustSL.

Silver Fox adapted this loader’s source code from a publicly available GitHub repository, implementing significant modifications. The customized version, now referred to as Silver Fox RustSL, incorporates a new module, steganography.rs, responsible for payload unpacking. It also features a guard.rs module that conducts environment checks and country-based geofencing, ensuring the malware executes only on systems located in targeted nations, including India, Russia, Indonesia, South Africa, Cambodia, and more recently, Japan.

The loader itself is disguised with a PDF or Excel file icon to avoid suspicion. When executed, RustSL loads an encrypted payload that functions as shellcode. This shellcode then proceeds to download an encrypted ValleyRAT module, termed the “Online module,” from the attackers’ server.
The Online module subsequently loads the core ValleyRAT component, the “Login module.” This component manages C2 communication, executes commands, and facilitates the download of further payloads. Among these additional payloads is a custom ValleyRAT plugin named 保86.dll, which serves as a downloader for ABCDoor.

ABCDoor is a Python-based backdoor compiled using Cython 3.0.7, a technique that helps obfuscate its underlying source code. It is extracted alongside a bundled Python environment and a copy of ffmpeg.exe, a legitimate audio and video processing tool that the malware re-purposes for screen capture and broadcasting.
Once active, ABCDoor establishes persistence through two primary methods: by writing an entry to the Windows registry Run key and by creating a scheduled task named “AppClient” that re-executes it every minute. To evade detection and mislead analysts, it disguises its installation path under C:ProgramDataTailscale, mimicking the legitimate Tailscale VPN utility.
Silver Fox RustSL also incorporates a technique called Phantom Persistence. This method intercepts system shutdown signals, aborts the shutdown sequence, and triggers a reboot that re-executes the loader, ensuring the malware’s survival across system restarts. Operating within a legitimate pythonw.exe process, ABCDoor can remain hidden for extended periods, silently collecting screen data, exfiltrating clipboard contents, managing files, and emulating mouse and keyboard input on the compromised machine.
What You Should Do
- Employee Training: Conduct regular security awareness training to educate employees on verifying the legitimacy of emails, especially those purporting to be from tax authorities, before clicking links or downloading attachments.
- Email Security Enhancements: Configure email security solutions to specifically flag and thoroughly analyze PDF files or other documents containing external download links, not just direct malicious attachments. Implement robust anti-phishing filters.
- Endpoint Detection and Response (EDR): Utilize EDR solutions to monitor for unusual registry modifications, the creation of suspicious scheduled tasks (e.g., “AppClient”), and the creation of unexpected directories (e.g.,
C:ProgramDataTailscale). - Network Monitoring: Monitor outbound network connections for traffic to third-level “abc” subdomains, which are indicative of ABCDoor C2 communication.
- Process Monitoring: Watch for persistent
pythonw.exeprocesses running without clear justification and any unexplained activity fromffmpeg.exeon endpoints, as these could signal an ABCDoor infection. - Principle of Least Privilege: Implement the principle of least privilege for all users to minimize the impact of a successful compromise.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.