How the Silver Fox Group Exploits Tax Authorities to Deploy ABCDoor Backdoor: A Step-by-Step Guide for Security Analysts

Introduction

In December 2025, a wave of malicious emails impersonating the Indian tax service began targeting organizations across multiple sectors. By January 2026, a nearly identical campaign emerged against Russian entities. Both attacks have been attributed to the threat group known as Silver Fox. This step-by-step guide walks analysts through the full attack chain—from the initial phishing email to the deployment of a previously undocumented Python-based backdoor we call ABCDoor. By following these steps, you can better detect, analyze, and defend against similar campaigns.

What You Need

• Basic understanding of phishing techniques and social engineering
• Access to email analysis tools (e.g., email header parser, attachment extractor)
• A sandbox environment for safely executing suspicious files
• Familiarity with Rust binaries and Python scripts
• Threat intelligence feeds (optional, for cross-referencing domains)

Step-by-Step Analysis

Step 1: Identify the Phishing Email

Both campaigns used emails styled as official tax authority correspondence. The December version targeted Indian organizations with a subject line related to tax audits and included an archive (ITD.-.rar) or a PDF with download links. The January version targeted Russian entities with a PDF attachment containing links to a malicious ZIP archive hosted at abc.haijing88[.]com/uploads/фнс/фнс.zip.

• Key indicators: The sender address may appear legitimate but the content pressures the recipient to act quickly. Look for grammar inconsistencies or mismatched language for the region.
• Delivery method: The Indian campaign sent the malicious attachment directly; the Russian campaign used download links inside the PDF to bypass email security gateways.

Step 2: Analyze the Attachment and Extract the Payload

In the Indian campaign, the archive ITD.-.rar contains a single executable (Click File.exe) disguised with an Adobe PDF icon. This is the initial loader. In the Russian campaign, the PDF contains two clickable links that lead to the same ZIP archive. Inside the ZIP, you find a modified Rust-based loader.

• Extraction caution: Always use a sandbox or dedicated analysis VM. The executable may have anti-analysis checks.
• Archive content: The Rust loader (later identified as a variant of RustSL) is compiled from publicly available source code with custom modifications.

Step 3: Reverse-Engineer the RustSL Loader

The loader, named RustSL, is a Rust-based program originally hosted on GitHub (now taken down or modified). The Silver Fox variant includes modified strings and callbacks that connect to a command-and-control (C2) server to download the next stage. Analyze the binary using static analysis (e.g., strings, Ghidra) to find:

• Embedded C2 URLs or IP addresses
• Unique encryption keys
• Configuration for the download routine

Note: The loader is designed to blend in with legitimate Rust binaries, so focus on unusual network connections during dynamic analysis.

Step 4: Observe the Download and Execution of ValleyRAT

Once executed, the RustSL loader contacts its C2 and retrieves the well-known backdoor ValleyRAT. This RAT gives attackers remote control over the infected machine. In this campaign, ValleyRAT was observed performing typical post-exploitation tasks like keylogging, screen capture, and file exfiltration.

• Detection: Use network monitoring to spot unusual outbound connections, especially to domains like haijing88[.]com or other unfamiliar hosts.
• Behavior: ValleyRAT may inject into legitimate processes to evade detection.

Step 5: Find the New ABCDoor Backdoor Plugin

During the investigation, analysts discovered that ValleyRAT was also delivering a new plugin to victim machines. This plugin functions as a loader for a Python-based backdoor that our team named ABCDoor. ABCDoor appears to be part of the Silver Fox arsenal since at least late 2024. The plugin is dropped by ValleyRAT and then executes ABCDoor in memory.

• Identification: Look for unusual Python scripts or compiled Python binaries (e.g., PyInstaller) dropped in temp directories.
• Capabilities: ABCDoor provides persistent backdoor access with its own C2 channels, likely encrypted.

Step 6: Assess the Campaign Scope and Impact

Between early January and early February 2026, over 1,600 malicious emails were recorded. The affected sectors include industrial, consulting, retail, and transportation in both India and Russia. The attackers specifically chose tax authority themes to maximize urgency and compliance. The use of PDF links (instead of direct attachments) significantly increased the delivery rate by bypassing email security scanners.

• Attribution: Silver Fox is an advanced persistent threat (APT) group known for targeting government and corporate entities.
• Timeline: Retrospective analysis shows ABCDoor was used in real attacks from Q1 2025 onward, meaning the group refined its tools over time.

Tips for Defending Against Silver Fox Campaigns

• Train users: Educate employees to be skeptical of unsolicited tax notices, especially those urging immediate action or requiring downloads.
• Enforce email security: Configure gateways to block executable files inside archives and to scan PDFs for embedded links to suspicious domains.
• Monitor network traffic: Create alerts for connections to domains associated with haijing88[.]com and similar infrastructure.
• Use YARA rules: Write signatures for the RustSL loader (e.g., unique string patterns) and for ABCDoor’s Python stubs.
• Conduct regular threat hunting: Search for artifacts like ValleyRAT or unexpected Python processes in your environment.
• Share intelligence: Collaborate with industry peers to correlate IOCs from similar campaigns.

By understanding the full attack chain—from the deceptive email to the final backdoor—you can build more effective defenses against Silver Fox and similar threat actors.