Silver Fox expands Asia cyber campaign with new ABCDoor malware

The Hacker News reports that the China-based cybercrime group Silver Fox has been linked to a new campaign targeting organizations in Russia and India with a new malware called ABCDoor. The activity involved using phishing emails that mimic correspondence from the Income Tax Department of India in December 2025, followed by a similar campaign aimed at Russian entities.

Kaspersky reported that the campaign utilized phishing emails styled as official notices regarding tax audits, prompting users to download an archive containing a "list of tax violations." Inside the archive was a modified Rust-based loader from a public repository, which then downloaded and executed the ValleyRAT backdoor. This campaign impacted organizations across the industrial, consulting, retail, and transportation sectors, with over 1,600 phishing emails flagged between early January and early February. A notable aspect is the delivery of a new ValleyRAT plugin functioning as a loader for ABCDoor, a previously undocumented Python-based backdoor active since at least December 19, 2024.

The attack chain begins with a phishing email containing a PDF file with links to download a ZIP or RAR archive. The executable within the archive is a modified version of RustSL, an open-source shellcode loader. This variant unpacks encrypted malicious payloads, performs geofencing and environment checks, and can establish persistence using a method called Phantom Persistence. The ultimate goal is to download the encrypted ValleyRAT malware, which handles command-and-control communications and executes additional modules, including ABCDoor for data exfiltration and remote control.

Source: The Hacker News