Chinese threat actor Silver Fox is behind a wave of malicious emails aimed at organizations in Russia and India, targeting them with tax-themed message lures aimed at delivering a previously undocumented backdoor malware, as well as a remote access Trojan (RAT) that’s already been widely wielded as part of the group’s arsenal.
The campaign, which began in December, surfaced with emails impersonating Indian tax authorities, and then expanded in January to target Russian organizations using similar tactics, according to a recent report by Kaspersky researchers.
“Both waves followed a nearly identical structure: phishing emails were styled as official notices regarding tax audits, or prompted users to download an archive containing a ‘list of tax violations,'” Kaspersky researchers wrote in the report.
Inside the archive was a modified Rust-based loader pulled from a public repository, which would download and execute the well-known ValleyRAT backdoor. In some cases, the PDFs embedded links to attacker-controlled infrastructure hosting malicious ZIP or RAR files, the researchers said. The campaign also delivered a backdoor that the researchers hadn’t seen before, dubbed “ABCDoor.”
Kaspersky recorded more than 1,600 malicious messages within its telemetry related to the campaigns between early January and early February targeting various sectors — including industrial, consulting, retail, and transportation.
Tax Scams Show Universal Reach
Such tax scams are common in the US but apparently also have universal appeal for attackers looking to scam victims in other countries. That’s likely because they target “a very human weakness,” notes Rickard Carlsson, CEO of application security firm Detectify.
“People behave differently when they think a government authority is involved,” he tells Dark Reading. “An email about taxes, penalties, or an audit creates urgency before the victim has even opened the attachment.”
Indeed, social engineering in general remains an effective scam tactic, “because attackers only need one person to click once,” he adds, while defenders “are expected to get everything right all the time, often across an attack surface that keeps changing as new tools, services, integrations, and cloud assets are added.”
He adds, “On top of that, it is often impossible to fully lock systems down, as doing so would render them unusable for the business.”
ABCDoor: A Stealthy New Backdoor Malware
As mentioned, successful attacks resulted in the delivery of various payloads, notably a previously undocumented Python backdoor called ABCDoor that Kaspersky discovered has been in use by Silver Fox since at least late 2024. Overall, it has been used “in real-world attacks from the first quarter of 2025 to the present day,” the researchers wrote, even though it was just recently uncovered.
ABCDoor establishes persistence through Windows Registry Run keys and scheduled tasks, then communicates with its command-and-control (C2) servers over HTTPS using asynchronous Socket.IO messaging. Running under a legitimate pythonw.exe process to evade detection, the malware focuses less on traditional command execution and more on covert remote interaction capabilities, including multimonitor screen streaming via FFmpeg, remote mouse and keyboard control, clipboard theft, file operations, and limited file-encryption features.
The backdoor malware also supports self-updating and self-removal, collects extensive host metadata, and leaves forensic artifacts in the registry and %LOCALAPPDATA% directories that defenders can monitor for detection.
Other payloads in the attacks include ValleyRAT, the use of which by Silver Fox already has been documented, and a customized version of the RustSL loader that’s been heavily modified by the group to suit its own purposes, according to Kaspersky.
Expanding Geographic Reach for Cyberattacks
Silver Fox is a China-backed threat group that’s been active for a few years and has become a sort of Swiss Army knife of threat groups, with both diverse tactics, techniques, and procedures (TTPs) as well as motives for its attacks. While primarily aimed at cyberespionage and critical-infrastructure disruption, the group also at times conducts financially motivated attacks, a cross pollination that’s been seen in North Korean threat actors but is rare for Chinese threat groups.
While primarily focused on targeting organizations in Taiwan, North America and Japan also are home to some of Silver Fox’s victims. The recent campaign is significant in that it shows the group expanding its regional focus for the first time to targets in Russia, the researchers noted.
Silver Fox also has added configurations for Japan for its specific implementation of RustSL loader, which itself is configured to operate in specific countries, the researchers noted. “Theoretically, the group could add other countries to this list in the future,” they added.
Email Vigilance Remains a Priority
Though it may seem like a no-brainer, the campaign once again demonstrates how emails remain a weak link in organizations, even though — or perhaps because — employees have been training on email security issues for so long. Security teams must avoid complacence when it comes to email security across the corporate network.
“This serves as another reminder of the critical need for vigilance and the thorough verification of all emails, even those purportedly from authoritative sources,” the researchers wrote. “We recommend that organizations improve employee security awareness through regular training and educational courses.”
Indeed, the phishing email is “the front door” through which attackers can install backdoors to gain persistence and remote access, and earn time to explore the environment for future compromise, Detectify’s Carlsson tells Dark Reading. “Small visibility gaps can become serious if an organization does not have a clear picture of which systems, exposed assets, and access paths exist,” he says.
For defenders, the lesson isn’t just about training employees not to click, however, Carlsson warns. “Organizations have to adopt an ‘assume breach’ posture, operating under the reality that devices will eventually be compromised and plan accordingly,” he says. The planning should include: email filtering, attachment and URL analysis, endpoint detection, least-privilege access, software execution controls, and continuous visibility into their external attack surface.
Don’t miss the latest Dark Reading Confidential podcast, NSA Chief During Snowden Affair Shares Regrets, Reflections 13 Years Later, for a candid conversation with Chris Inglis, head civilian in charge of the NSA during the Edward Snowden affair. Inglis reflects what the NSA should have done better, what he wants CISOs to know about protecting against their own insider threats, and what his reaction would be if Snowden received a pardon. Listen now!
