Silver Fox Strikes Again: ABCDoor Malware Delivered via Tax Phishing in India and Russia
The cyber threat landscape continues to evolve as the China-linked group Silver Fox resurfaces with a fresh wave of attacks. Researchers have linked the group to a sophisticated campaign delivering a new backdoor malware named ABCDoor through tax-themed phishing emails targeting organizations in India and Russia. The operation, first observed in December 2025, demonstrates the group's persistent focus on financial and governmental entities.
Campaign Overview
The Silver Fox group, known for its cyber espionage activities, employed a two-pronged approach. In the first wave, attackers sent emails impersonating the Income Tax Department of India, luring recipients with tax-related notifications. A subsequent, almost identical campaign targeted Russian organizations, though the exact pretext for Russian victims remains under analysis.
Both waves share a near-identical modus operandi: phishing emails contain malicious attachments or links that, when opened, initiate the download and execution of ABCDoor. The malware grants attackers remote access, enabling data exfiltration, keylogging, and further network compromise.
Who Is Silver Fox?
Silver Fox is a Chinese-speaking cybercrime and espionage group that has been active since at least 2020. The group primarily targets government agencies, defense contractors, and financial institutions across Asia and Europe. Their tactics often involve spear-phishing with carefully crafted lures, custom malware, and advanced persistence mechanisms. The deployment of ABCDoor marks their first recorded use of a dedicated backdoor for both India and Russia operations.
ABCDoor Malware: Capabilities and Analysis
ABCDoor is a modular backdoor designed to operate stealthily within compromised networks. Key features identified by security researchers include:
- Remote Code Execution – Allows attackers to run arbitrary commands on infected machines.
- Data Exfiltration – Steals files, credentials, and keystrokes.
- Persistence Mechanisms – Uses scheduled tasks and registry modifications to survive reboots.
- Encrypted Communication – Communicates with command-and-control (C2) servers using custom encryption to evade detection.
The malware is typically delivered as a dynamic-link library (DLL) or via PowerShell scripts embedded in phishing documents. Once activated, ABCDoor establishes a foothold and can download additional payloads.
Phishing Tactics and Lures
The phishing emails used in the Indian campaign employed official logos and language mimicking the Income Tax Department. Subjects often read “Urgent: Tax Return Verification Required” or “Notice of Tax Discrepancy”. These emails included attachments such as:
- Microsoft Word documents with malicious macros.
- Compressed archive files (ZIP/RAR) containing executable files.
- Links to fake login portals designed to harvest credentials.
The Russian campaign used similar social engineering, though researchers have not publicly disclosed the exact theme. The near-identical structure suggests a shared playbook and possible coordination between the two operations.
Indicators of Compromise (IoCs)
Security teams should monitor for the following IoCs associated with this campaign:
- Email domains impersonating tax authorities (e.g., incometax-india[.]org).
- File hashes of known ABCDoor samples (SHA-256 provided by threat intel feeds).
- Network connections to C2 IP addresses linked to Silver Fox infrastructure.
- Unusual PowerShell execution or scheduled tasks named “TaxUpdate” or similar.
Targets and Potential Impact
The campaign primarily targets government agencies, financial institutions, and critical infrastructure in India and Russia. While Silver Fox is not known for ransomware, the ability to steal sensitive data and maintain persistent access poses significant risk for espionage and intellectual property theft. Organizations in these sectors are urged to review their email security protocols and conduct employee awareness training.
Mitigation Recommendations
To defend against similar attacks, cybersecurity professionals advise the following measures:
- Email Filtering – Deploy advanced filters to block tax-themed phishing attempts and suspicious attachments.
- Macro Security – Disable macros by default in Office documents from external sources.
- Endpoint Detection – Use EDR solutions to detect ABCDoor behavior such as unusual PowerShell or scheduled tasks.
- User Training – Conduct regular phishing simulations, especially for finance and tax department staff.
- Network Segmentation – Limit lateral movement by segmenting critical systems from user workstations.
Additionally, organizations should monitor the Indicators of Compromise listed above and integrate them into their SIEM systems.
Conclusion
The Silver Fox group's deployment of ABCDoor malware via tax-themed phishing campaigns in India and Russia underscores the persistent threat of state-aligned cyber operations. The near-identical campaigns highlight a scalable attack methodology that can be quickly adapted to different targets. As tax season approaches in many countries, organizations must remain vigilant against such socially engineered threats. Continuous monitoring, threat intelligence sharing, and robust security controls are essential to mitigate the risk posed by groups like Silver Fox.