Silver Fox's Evolving Tactics: The ABCDoor Backdoor Campaign Against Russia and India

In late 2025 and early 2026, the threat group known as Silver Fox launched a sophisticated phishing campaign targeting organizations in Russia and India. Using convincing tax-themed lures, they delivered a new Python-based backdoor named ABCDoor alongside the well-known ValleyRAT. This Q&A explores the key aspects of the attack chain, the tools used, and how organizations can defend against such threats.

What is Silver Fox and why are they targeting Russia and India?

Silver Fox is a cyber threat group first identified in 2024. Their recent campaigns, detected in December 2025 and January 2026, focus on government and private sector entities in Russia and India. The group uses meticulously crafted phishing emails posing as official tax service communications to increase the likelihood of victims engaging with malicious content. By targeting tax authorities, they exploit the inherent trust and urgency associated with such correspondence. The sectors most affected include industrial, consulting, retail, and transportation, highlighting a broad strategic interest rather than a narrow focus.

How did the phishing emails in each country differ?

While both campaigns used tax-themed lures, technical execution diverged. In the Russia-focused wave (January 2026), the phishing email included a PDF attachment containing two clickable links that downloaded an archive named фнс.zip from a malicious site (abc.haijing88[.]com). This PDF-specific approach was designed to bypass email security gateways. In the India-focused wave (December 2025), malicious code was embedded directly within the attached PDF, and later in December, emails included a PDF with links to a CBDT.rar archive. The Indian campaign also leveraged the SendGrid cloud platform for delivery.

What is the RustSL loader and how does it work?

RustSL is an open-source, Rust-based loader available on GitHub. Silver Fox used a modified version of this loader to initiate the infection chain. In both campaigns, once the victim opened the archive (either фнс.zip or ITD.-.rar), a RustSL executable was extracted—often disguised as Click File.exe with a fake PDF icon. This loader then connects to a remote server to download and execute the ValleyRAT backdoor, establishing persistent access to the victim’s machine.

What is ValleyRAT and why is it significant?

ValleyRAT is a well-known commodity backdoor that provides attackers with remote control over compromised systems. In this campaign, it served as the initial payload delivered by RustSL. However, researchers discovered that Silver Fox also deployed a new plugin for ValleyRAT that acted as a loader for a previously unknown Python-based backdoor, which they named ABCDoor. This layered approach—using ValleyRAT as a stepping stone—allows attackers to maintain stealth and flexibility, and ABCDoor has been in use since at least late 2024.

What is ABCDoor and how does it fit into the attack chain?

ABCDoor is a Python-based backdoor that represents an evolution in Silver Fox’s arsenal. It is delivered as a plugin to ValleyRAT, meaning only victims who first execute ValleyRAT receive ABCDoor. Once installed, ABCDoor can execute commands, exfiltrate data, and potentially serve as a persistent foothold. The backdoor remained undetected in public reports until this investigation. Retrospective analysis shows that ABCDoor has been part of real-world operations from Q1 2025 onward, indicating it is a mature tool for the group.

How did the attackers bypass email security measures?

The campaigns cleverly evaded email security gateways by using PDF attachments that contained links to download the malicious archive, rather than embedding executable code directly. This technique reduces the chance of being flagged by automated scanners that analyze attachments for malicious payloads. In the Russian campaign, the PDF links led to a site hosting фнс.zip; in the Indian case, the initial PDF itself contained embedded code but later versions also used the link method. Both approaches exploit the fact that security tools may treat PDFs with URLs as benign, especially when the URLs require human interaction to access.

What were the scale and sector impact of the campaign?

Between early January and early February 2026, over 1,600 malicious emails were recorded. The affected sectors span industrial, consulting, retail, and transportation organizations in both Russia and India. This wide distribution suggests Silver Fox is casting a broad net, likely aiming to collect sensitive financial data, intellectual property, or establish long-term access for espionage. The use of tax-themed lures is particularly effective because these documents are often considered routine and are less likely to raise suspicion among employees.

What can organizations do to defend against such targeted phishing attacks?

Organizations should implement a multi-layered defense strategy. First, deploy advanced email security that can detect novel URL-based attacks, including sandboxing PDFs that contain links. Second, train employees to verify the authenticity of tax-related communications through official channels. Third, use endpoint detection and response (EDR) tools to identify unusual behaviors such as RustSL loader execution or ValleyRAT’s network activity. Finally, keep software updated and restrict the execution of files from archives. Since the attack chain relies on user interaction, awareness and robust technical controls are both essential.