In late 2025 and early 2026, cybersecurity researchers uncovered a sophisticated phishing operation targeting organizations in Russia and India. The campaigns, attributed to the threat group known as Silver Fox, used tax-themed lures to deliver a two-stage infection chain involving the RustSL loader and the ValleyRAT backdoor. Further analysis revealed a previously unknown Python-based backdoor, dubbed ABCDoor, which has been part of Silver Fox’s arsenal since at least late 2024. This Q&A explores the key details of these attacks.

1. Who is responsible for these phishing campaigns, and which countries were targeted?

The attacks were carried out by the Silver Fox threat group, a cybercriminal organization known for targeted intrusions. In December 2025, they launched a wave of malicious emails aimed at Indian organizations, posing as official communications from the Indian tax service. Just a few weeks later, in January 2026, a near-identical campaign began targeting Russian entities. The group likely chose these targets due to the high perceived importance of tax authorities, making victims more likely to engage with the emails. Over 1,600 malicious emails were recorded between early January and early February 2026, impacting sectors such as industrial, consulting, retail, and transportation.

2. How did the phishing emails appear, and what social engineering tricks were used?

The emails were carefully crafted to mimic official tax notifications. For Russian targets, the message claimed to be from the tax service and included a PDF attachment containing two clickable links to download an archive. The PDF file displayed fake tax violation details, urging the recipient to download a “list of tax violations.” For Indian targets in December, the malicious code was embedded directly in an archive attached to the email—named ITD.-.rar—which contained a single executable disguised with an Adobe PDF icon. A later variant used a PDF with links to a malicious archive hosted at abc.haijing88[.]com. The attackers exploited the urgency and authority of tax correspondence to bypass security awareness, and the use of PDFs with links helped evade email gateway filters that might block direct attachments of executable files.

3. What is the RustSL loader, and how was it modified for this campaign?

The RustSL loader is a Rust-based payload downloader whose source code is publicly available on GitHub. Silver Fox took this open-source tool and modified it to suit their attack chain. Inside the malicious archive, victims would find an executable file (e.g., Click File.exe) that acted as the RustSL loader. Once executed, this loader reached out to a remote server to download and execute the next stage—the ValleyRAT backdoor. The modifications likely included custom encryption, changed command-and-control (C2) addresses, and integration with the subsequent Python-based backdoor. Using Rust made the loader harder to detect due to the language’s lower prevalence in malware and its complex reverse-engineering challenge.

4. What is ValleyRAT, and how does it relate to the newly discovered ABCDoor backdoor?

ValleyRAT is a well-known backdoor that provides remote access to compromised systems. In these campaigns, it was delivered by the RustSL loader. However, during their investigation, researchers discovered that the attackers were also deploying a new ValleyRAT plugin that acted as a loader for an undocumented Python-based backdoor. This previously unseen backdoor was named ABCDoor. Retrospective analysis shows that ABCDoor has been part of Silver Fox’s toolkit since at least late 2024, with real-world use from Q1 2025 onward. It appears that ValleyRAT serves as a primary foothold, while ABCDoor provides additional stealth and persistence capabilities, likely written in Python to evade signature-based detection on disk or in memory.

5. How were the attack chains technically executed—step by step?

The infection process typically began with a phishing email. For Russian targets, the email included a PDF with clickable links directing the victim to a malicious website (abc.haijing88[.]com) to download a ZIP archive. For Indian targets in December, the email directly attached an archive (ITD.-.rar) containing the RustSL loader. In both cases, once the archive was extracted and the executable ran, the RustSL loader executed and downloaded ValleyRAT from a remote server. During some infections, ValleyRAT then loaded a new plugin that deployed ABCDoor, a Python-based backdoor. The entire chain was designed to be modular: the initial loader was lightweight, the secondary backdoor provided extensive control, and the tertiary backdoor offered additional functionality. The attackers used legitimate cloud platforms like SendGrid to send emails, further improving deliverability.

6. What sectors were affected, and what is the broader impact of this campaign?

The campaigns impacted organizations across industrial, consulting, retail, and transportation sectors. Over 1,600 malicious emails were sent in just over a month. The use of tax-themed lures suggests the attackers sought to compromise high-value targets with access to financial data or sensitive government communications. The introduction of ABCDoor, a persistent backdoor, indicates a long-term espionage or data theft objective. Organizations in Russia and India, especially those dealing with tax filings or audits, were at heightened risk. The fact that Silver Fox refined their techniques (using PDFs with links instead of direct executables) shows an adaptive threat actor. Any breached organization could face data exfiltration, ransomware deployment, or lateral movement to partners. Security teams should monitor for similar lures and inspect encrypted or archive-based attachments carefully.