THE China-based cybercrime group known as Silver Fox has been linked to a new campaign targeting organisations in Russia and India with a malware called ABCDoor, delivered through tax-themed phishing. According to Kaspersky, the phishing emails mimic notices about tax audits and direct recipients to download an archive that contains a modified Rust-based loader, which then downloads and executes the ValleyRAT backdoor.
The campaign utilised a loader that unpacks an encrypted ValleyRAT payload and employs country-based geofencing and environment checks to detect virtual machines and sandboxes, with India, Russia, Indonesia, South Africa and Japan appearing in the bespoke variant.
More than 1,600 phishing emails were flagged between early January and early February, and the attackers have used a PDF-styled malicious file whose attachments load a ZIP or RAR archive hosted at abc.haijing88[.]com, embedding the malicious code directly in the December 2025 campaign. The operation is said to have involved the use of a ValleyRAT plugin that acts as a loader for ABCDoor, which can enable data exfiltration, remote control and backdoor updates, according to the article.
The piece notes that Silver Fox has evolved into a dual-track model since 2024, pursuing both opportunistic profits and espionage, with recent activity expanding beyond China to include other regions.