Ddos 
Distribution of RustSL loader attacks by country, as a percentage of the total number of detections
Security researchers at Kaspersky Labs have uncovered a sophisticated, multi-stage phishing campaign orchestrated by the Silver Fox threat group. Targeting organizations across India and Russia, the group exploits the perceived urgency of official tax correspondence to deploy a previously undocumented Python-based backdoor dubbed ABCDoor.
The campaign, which saw over 1,600 malicious emails recorded between early January and February 2026, primarily impacts the industrial, consulting, retail, and transportation sectors.
The attack begins with highly convincing phishing emails designed to look like official notices from the Indian or Russian tax services. These emails typically prompt users to download an archive containing a “list of tax violations” or audit schedules.
To bypass email security gateways, the attackers often use clickable links within PDF attachments rather than attaching the malware directly. One such link led to a malicious site: abc.haijing88[.]com/uploads/фнс/фнс.zip.
Silver Fox utilizes a customized version of RustSL, a modular antivirus bypass framework publicly available on GitHub. The group modified the original source code to include proprietary modules like steganography.rs for payload unpacking and guard.rs for country-based geofencing.
The infection chain typically follows this path:
- Loader: Disguised as a PDF or Excel icon, the Silver Fox RustSL loader executes.
- Middleman: The loader downloads and launches ValleyRAT (also known as Winos 4.0), a well-known backdoor.
- Final Payload: ValleyRAT then delivers a custom plugin that functions as a loader for ABCDoor.
“Retrospective analysis reveals that ABCDoor has been part of the Silver Fox arsenal since at least late 2024 and has been utilized in real-world attacks from the first quarter of 2025 to the present day,” the report wrote.
ABCDoor is built on the asyncio and Socket.IO Python libraries, communicating with its C2 server via HTTPS. To remain hidden, it runs within a legitimate pythonw.exe process and establishes persistence through the Windows registry and Task Scheduler, setting itself to run every minute.
Key Malicious Capabilities:
- Remote Control: Enables mouse and keyboard emulation via the pynput library.
- Screen Broadcasting: Uses an embedded, legitimate ffmpeg.exe to stream up to four monitors simultaneously using the Desktop Duplication API.
- Secret Harvesting: Exfiltrates clipboard contents and performs broad file system operations.
- Phantom Persistence: Some versions intercept system shutdown signals to trigger a reboot under the guise of an update, forcing the loader to execute upon OS startup.
While India remains the most targeted country (65.18% of detections), Silver Fox is rapidly expanding its scope. The group recently added Japan to the supported country list in the malware’s configuration, following successful campaigns in Russia and Indonesia.
Silver Fox’s multi-stage approach and segmented infrastructure are designed to minimize detection risks. Kaspersky Labs urges organizations to thoroughly verify all authoritative emails and improve employee security awareness through regular training.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
