New 'ABCDoor' Backdoor Unleashed by Silver Fox in Widescale Tax-Themed Phishing Attacks on Russia and India

Breaking: Silver Fox Deploys Novel Python-Based Backdoor in Global Tax Scam Campaigns

A sophisticated cyber espionage operation has hit hundreds of organizations across Russia and India, using tax authority lures to deliver a previously unseen backdoor named ABCDoor, researchers revealed today. The campaign, active since December 2025, has already sent over 1,600 malicious emails to targets in industrial, consulting, retail, and transportation sectors.

“This is a highly targeted campaign that exploits the urgency of tax correspondence to bypass security controls,” a senior threat analyst at the cybersecurity firm tracking the group told reporters. “The use of a custom Python-based backdoor marks a significant escalation in Silver Fox’s capabilities.”

Attack Chain: From Phishing Email to Full-System Compromise

The attacks follow a nearly identical playbook. Phishing emails, disguised as official tax audit notices or lists of violations, arrive with either a malicious PDF or an embedded archive. In the January 2026 wave targeting Russia, victims received a PDF containing two links that lead to a malicious website (abc.haijing88[.]com/uploads/фнс/фнс.zip). In the December 2025 wave aimed at India, the malicious code was hidden directly in attached files—such as ITD.-.rar containing Click File.exe.

Once opened, the archive releases a modified version of the Rust-based loader RustSL, whose source code is publicly available on GitHub. This loader then downloads and executes the well-known ValleyRAT backdoor. “What makes this campaign particularly dangerous is the loader’s ability to install a brand-new plugin—the ABCDoor backdoor—as a second stage,” the analyst added.

Background

The Silver Fox threat group, known for its persistent cyber espionage campaigns, has been operating for several years. In December 2025, researchers detected the first wave of emails designed to look like official Indian tax service correspondence. A few weeks later, in January 2026, a similar campaign began targeting Russian organizations, using emails styled as tax audit requests from the Russian Federal Tax Service.

Retrospective analysis reveals that ABCDoor was developed as early as late 2024 and has been deployed in real-world attacks from Q1 2025 onward. The backdoor, written in Python, acts as a loader for additional malware and provides attackers with persistent remote access to compromised systems.

The campaign’s infrastructure includes domains such as abc.haijing88[.]com, which hosted the malicious archive files. The PDF links were designed to avoid detection by email security gateways—since the attached document only contains a benign link, it has a higher chance of reaching the recipient.

What This Means

The deployment of a custom Python-based backdoor indicates that Silver Fox is investing in new tools to evade detection. “ABCDoor represents a shift toward more modular, script-based malware that can be easily updated and obfuscated,” explained a independent threat intelligence researcher. “Organizations in Russia and India should immediately review any unsolicited tax-related emails and block domains associated with this campaign.”

The attack also underscores the persistent risk of supply-chain compromise: the public availability of RustSL’s source code allowed the attackers to modify it freely. With over 1,600 malicious emails already sent, the campaign may still be ongoing. Companies in industrial, consulting, retail, and transportation sectors should treat any unexpected tax notification as suspicious and verify through official channels.

Cybersecurity teams are urged to monitor network traffic for connections to abc.haijing88[.]com and similar domains, and to run endpoint detection rules for the ABCDoor loader signature. The full IOC list is expected to be published shortly.