Silver Fox APT Deploys ABCDoor Backdoor in Tax-Themed Attacks on India and Russia

Overview

The China-linked advanced persistent threat (APT) group tracked as Silver Fox has launched a new wave of socially engineered attacks targeting organizations across India and Russia. More than 1,600 spear-phishing messages have been documented in the campaign, which uses convincing tax-authority lures to deceive recipients into executing malicious payloads.

The campaign introduces a previously undocumented backdoor called ABCDoor, deployed alongside the known ValleyRAT remote access trojan and other malware families. The dual-payload approach gives Silver Fox both persistent access and flexible post-exploitation capability on compromised systems.

Silver Fox: Background

Silver Fox is a Chinese-speaking threat actor that has been active since at least 2022. The group is characterized by:

• Geographic targeting: Operations predominantly against organizations in East, South, and Southeast Asia — now expanding to South Asia (India) and Eastern Europe (Russia)
• Sector focus: Finance, government, healthcare, technology, and defense supply chain
• Tooling: Heavy use of commodity RATs (ValleyRAT, Gh0stRAT) combined with custom loaders and backdoors
• Lure themes: Tax documents, financial statements, regulatory notifications, and HR communications

The group's consistent use of tax-themed lures — particularly around government tax reporting periods — makes it a recurring seasonal threat for finance and accounting staff.

Campaign Analysis

Delivery Mechanism

The campaign uses highly targeted spear-phishing messages delivered via email. Each message is tailored to the recipient's role and organization, referencing:

• Local tax authority names (India's Income Tax Department, Russia's Federal Tax Service / FNS)
• Plausible filing deadlines and regulatory references
• Recipient's name, organization, and in some cases, their specific job function

Attachments or links direct targets to:

1. Malicious document files (.docx, .xlsx) exploiting macro execution or Office vulnerabilities
2. ZIP archives containing LNK shortcut files that execute a PowerShell loader
3. ISO/IMG files containing disguised executables (a technique to bypass Mark-of-the-Web)

Malware Payloads

ABCDoor (Previously Undocumented)

ABCDoor is a newly identified backdoor first observed in this campaign. Initial analysis reveals:

ABCDoor appears designed for long-term espionage operations — it prioritizes stealth and persistence over aggressive data collection, suggesting the group intends to maintain access for extended periods.

ValleyRAT

ValleyRAT is a known Silver Fox tool, documented since 2023. It is a full-featured remote access trojan capable of:

• Keylogging and credential harvesting
• Browser credential extraction (Chrome, Edge, Firefox)
• Screen capture and remote desktop
• File system enumeration and exfiltration
• Lateral movement via network share enumeration

The use of ValleyRAT alongside ABCDoor gives operators redundant access — if one payload is detected and removed, the other may persist undetected.

Targeting: India and Russia

The simultaneous targeting of organizations in India and Russia is notable and suggests Silver Fox is executing a broader regional intelligence collection operation.

India

Targets in India cluster around:

• IT and BPO sector companies with multinational clients
• Financial services firms around India's tax filing season (March–July)
• Government contractors in defense and infrastructure

India's large IT sector and its role as a technology partner to Western nations makes it a valuable espionage target for Chinese intelligence operations — particularly for supply chain access to downstream clients.

Russia

Despite Russia and China's stated strategic partnership, Chinese cyber-espionage against Russian entities is well-documented and reflects intelligence collection priorities that transcend geopolitical alignment. Observed Russian targets include:

• Energy and resources companies
• Defense industrial base contractors
• Academic and research institutions involved in dual-use technology

The use of Russian Federal Tax Service (FNS) lures demonstrates the group's investment in localized, convincing social engineering content — requiring native Russian language capability and knowledge of Russian bureaucratic processes.

Indicators of Compromise

Note: These are representative IoC categories. Specific hashes and C2 addresses are not published here to avoid premature tipping off of active operations. Organizations should consult their threat intelligence feed for current Silver Fox indicators.

File System Artifacts

%TEMP%\[random 8-char string].tmp       (initial dropper stage)
%APPDATA%\Microsoft\[legitimate-looking name]\  (ABCDoor installation directory)
%SYSTEMROOT%\Temp\[service-name].log    (ValleyRAT logging)

Registry Persistence

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\[key name]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (modified)

Network Indicators

• Beacon traffic over HTTPS to domains registered within the last 60 days
• Certificate subject fields with mismatched organization names
• DNS queries for subdomains with high entropy labels (e.g., xk3j9m.legitimate-looking-domain.com)
• Consistent beacon intervals (60–300 second jitter range)

Detection Guidance

Email Gateway

Block or quarantine:

• Emails with ISO, IMG, or LNK attachments from external senders
• Compressed archives containing LNK files
• Macro-enabled Office documents from unknown or suspicious senders

Apply additional scrutiny to messages claiming to be from:

• India Income Tax Department (incometax.gov.in lookalikes)
• Russian Federal Tax Service (nalog.ru lookalikes)

Endpoint Detection

# Suspicious child process from Office application
- process: WINWORD.EXE, EXCEL.EXE
  spawns: powershell.exe, cmd.exe, mshta.exe, wscript.exe, cscript.exe
  action: ALERT
 
# LNK execution from temp or downloads directory
- process: explorer.exe
  command_line: "*.lnk"
  directory: C:\Users\*\Downloads\, C:\Users\*\AppData\Local\Temp\
  action: ALERT
 
# Suspicious scheduled task creation
- process: schtasks.exe
  command_line contains: /create
  parent: powershell.exe, cmd.exe
  action: ALERT

SIEM Query (Elastic)

event.category:process AND
process.parent.name:(WINWORD.EXE OR EXCEL.EXE) AND
process.name:(powershell.exe OR cmd.exe OR mshta.exe OR wscript.exe) AND
NOT process.command_line:*-NonInteractive*

Historical Context: Silver Fox's Expanding Reach

Silver Fox began primarily targeting Chinese-speaking populations in financial sector attacks before pivoting to broader international targeting. The group's 2026 activity represents a significant escalation in both geographic reach and operational sophistication.

Mitigation Recommendations

1. Employee awareness training — Specifically address tax authority impersonation lures; remind staff that government agencies do not request action via unsolicited email attachments.
2. Disable macros — Use Group Policy to disable VBA macros in Office documents from the internet.
3. Block ISO/IMG mounts — Via Group Policy or endpoint controls, prevent users from mounting ISO and IMG files.
4. Enable Protected View — Ensure Microsoft Office Protected View is active for internet-sourced documents.
5. MFA everywhere — Ensure all remote access and email accounts require phishing-resistant MFA.
6. Network monitoring — Establish baseline HTTPS traffic patterns and alert on anomalous outbound connections from workstations.

References

• Dark Reading: Silver Fox Tax-Themed Attacks on India, Russia

Related Reading

• 2026: The Year AI Became the Attacker's Favorite Co-Pilot
• FBI Warns Russian Intelligence Targeting Signal and WhatsApp
• APT28 Deploys PrismeX Malware Targeting Ukraine and NATO Allies