CHINESE threat actor Silver Fox is behind a wave of malicious emails aimed at organisations in Russia and India, targeting tax-themed lures to deliver a previously undocumented ABCDoor backdoor and the ValleyRAT remote access trojan. According to Kaspersky researchers, the campaign began in December and expanded in January to Russian organisations using similar tactics.
More than 1,600 malicious messages were recorded in its telemetry between early January and early February, targeting industrial, consulting, retail, and transportation sectors. Inside the archives were a modified Rust-based loader that downloads and executes ValleyRAT, with PDFs sometimes linking to attacker-controlled infrastructure hosting malicious ZIP or RAR files, and a backdoor dubbed ABCDoor.
ABCDoor establishes persistence via Windows Registry Run keys and scheduled tasks, communicates with C2 servers over HTTPS, and operates under a legitimate pythonw[.]exe process to enable covert remote interaction.