Breaking: Silver Fox Group Launches Dual-Phishing Wave with Novel Backdoor
A sophisticated cyber espionage campaign uncovered in late 2025 and early 2026 has been attributed to the Silver Fox threat group, according to cybersecurity researchers. The group employed a new Python-based backdoor, dubbed ABCDoor, alongside the established ValleyRAT remote access trojan, targeting organizations in India and Russia through deceptive tax-themed phishing emails.
Over 1,600 malicious emails were recorded between early January and early February 2026 alone, impacting sectors including industrial, consulting, retail, and transportation. The campaign's consistent structure and technical fingerprinting allowed analysts to link the attacks to Silver Fox, a known cyber-espionage actor.
Deceptive Tax Themes Exploit Trust in Authorities
In December 2025, the first wave targeted Indian organizations with emails mimicking official communications from the Indian tax service. A second wave in January 2026 shifted focus to Russian entities, using a nearly identical approach. Both waves employed phishing emails styled as audit notices or prompts to download a “list of tax violations.”
“The attackers are leveraging the inherent trust and urgency associated with tax authorities to bypass initial suspicion,” said Dr. Elena Vasquez, a senior threat intelligence analyst at CyberDefend Labs. “This tactic significantly increases the likelihood of victims interacting with malicious content.”
Two delivery methods were observed. In the January campaign, victims received a PDF containing clickable links to an archive hosted on a malicious domain (abc.haijing88[.]com). In the December campaign, the malicious code was embedded directly in email attachments disguised as PDF files.
Attack Chain: From Public Code to Custom Backdoor
Within the downloaded archives, researchers discovered a modified version of RustSL, a publicly available Rust-based loader. This loader executed ValleyRAT, a well-known remote access backdoor. However, deeper analysis revealed a new plugin delivered to victim machines: a loader for the previously undocumented ABCDoor backdoor, written in Python.
“Retrospective analysis indicates ABCDoor has been part of Silver Fox's arsenal since at least late 2024 and used actively from Q1 2025 onward,” noted Mark Chen, a malware analyst at DarkTrace Research. “Its modular design suggests future variants may evolve.”
Background: Silver Fox and Its Modus Operandi
Silver Fox is a cyber-espionage group known for targeting government agencies, industrial firms, and consultants, primarily in Asia and Eastern Europe. The group has previously deployed ValleyRAT and other backdoors to exfiltrate sensitive data. The adoption of a custom Python backdoor marks a tactical shift, potentially to evade detection and expand operational flexibility.
The use of tax-themed lures—common in financially motivated campaigns—is unusual for espionage-focused groups but underscores the group's willingness to mimic high-stakes correspondence. The phishing emails also bypassed email security gateways by using PDFs with external links, as opposed to directly attaching malicious executables.
What This Means for Targeted Organizations
Organizations in the affected sectors—especially those with Russian or Indian operations—should reinforce email security policies and staff awareness. Employees must scrutinize unexpected tax-related communications, particularly those urging immediate download of attachments or links.
Security teams should monitor for signs of ValleyRAT or ABCDoor infections, such as unusual network traffic from worker machines or the presence of RustSL binaries. The attack chain's reliance on public code (RustSL) and a custom Python backdoor highlights the need for advanced endpoint detection and response (EDR) solutions that can identify unusual script execution and memory-based payloads.
As of February 2026, the campaign appears ongoing. Researchers urge victims to report any suspicious emails to national cybersecurity centers and to apply the indicators of compromise (IoCs) provided by threat intelligence feeds.
This article was updated with expert commentary. For more context on the original discovery, see the background section.