SILVER Fox has been observed targeting organisations in Russia and India by posing as tax authorities to distribute ValleyRAT alongside a new backdoor named ABCDoor, with the activity attributed to the Silver Fox threat group. The campaign began with a December 2025 wave that used tax-related phishing emails, expanding in January 2026 to additional victims across multiple sectors and surpassing 1,600 malicious emails in the early part of 2026.
The attackers employed a RustSL loader that downloads and decrypts a ValleyRAT payload, and then loaded a previously undocumented Python-based backdoor, ABCDoor, which has been in development since at least late 2024 and used in real-world operations from Q1 2025 to the present.
ABCDoor operates as a Python-based backdoor within a legitimate pythonw[.]exe process, establishing persistence via registry and Task Scheduler, and enabling capabilities such as remote control and screen broadcasting through ffmpeg, with updates and self-deletion capabilities managed through a PowerShell workflow.
The campaign utilised multiple delivery methods, including attachments and links within PDFs, and involved modular loader architectures and staged explosives to minimise detection, with geographic focus expanding to Japan in more recent iterations. according to Securelist.