Full Report
The China-based cybercrime group known as Silver Fox has been linked to a new campaign targeting organizations in Russia and India with a new malware called ABCDoor. The activity involved using phishing emails that mimic correspondence from the Income Tax Department of India in December 2025, followed by a similar campaign aimed at Russian entities in January 2026. “Both waves followed a…
Analysis Summary
# Threat Actor: Silver Fox
## Attribution & Identity
- **Actor Identification:** Silver Fox is a China-based cybercrime group.
- **Aliases:** None explicitly listed in the provided text, though often associated with large-scale phishing campaigns.
- **Origins:** Geographically attributed to China.
## Activity Summary
- **Campaign 1 (India):** In December 2025, the group conducted a phishing campaign mimicking official correspondence from the Income Tax Department of India.
- **Campaign 2 (Russia):** In January 2026, the group launched a nearly identical operation targeting Russian entities using tax-themed lures.
- **Methodology:** Both waves utilized archives containing "tax violation" notices to deliver a specialized loader that eventually deployed backdoors.
## Tactics, Techniques & Procedures
- **Phishing (T1566):** Use of tax-themed emails styled as official government notices (Tax Audits, Tax Violations) to provoke urgency.
- **Malicious File Archives (T1204.002):** Delivery of compressed archives containing malware loaders.
- **Malware Loading (T1105):** Utilization of a modified Rust-based loader sourced from a public repository.
- **Persistence & Command and Control:** Deployment of backdoors to maintain access and receive remote instructions.
## Targeting
- **Sectors:** Government (Taxation/Finance interest), Corporate entities.
- **Geography:** India and Russia.
- **Victims:** Organizations and individuals receiving correspondence from the Income Tax Department of India; unspecified Russian entities.
## Tools & Infrastructure
- **ABCDoor:** A new malware family identified by analysts in this campaign.
- **ValleyRAT:** A well-known backdoor used as a primary payload.
- **Rust Loader:** A modified, open-source loader implemented in the Rust programming language.
- **Infrastructure:** Phishing lures mimicking official domains (e.g., Income Tax Department of India).
## Implications
Silver Fox demonstrated high adaptability by pivoting from Indian targets to Russian targets within a single month using the same infrastructure and social engineering themes. The use of Rust-based loaders indicates an attempt to evade traditional signature-based detection, while the deployment of ValleyRAT suggests the ultimate goal is long-term access for data theft or financial gain.
## Mitigations
- **Email Security:** Implement advanced phishing filters that scan for archives and analyze the behavior of embedded executable loaders.
- **Endpoint Detection (EDR):** Deploy EDR solutions capable of detecting the execution of unauthorized Rust-based binaries and the network callbacks associated with ValleyRAT.
- **User Awareness:** Train employees to verify the sender of tax-related notices and avoid downloading archive attachments from unsolicited emails.
- **Application Whitelisting:** Restrict the execution of unknown binaries to prevent the initial loader from staging the backdoor.