Silver Fox Springs Tax-Themed Attacks on Orgs in India, Russia

ENDPOINT SECURITY THREAT INTELLIGENCE REMOTE WORKFORCE CYBERATTACKS & DATA BREACHES NEWS Breaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia Pacific Silver Fox Springs Tax-Themed Attacks on Orgs in India, Russia More than 1,600 socially engineered messages from the China-backed advanced persistent threat (APT) group target various sectors to deliver the previously undocumented ABCDoor backdoor, ValleyRAT, and other malware. Elizabeth Montalbano,Contributing Writer May 4, 2026 5 Min Read AMBQUINN VIA SHUTTERSTOCK Chinese threat actor Silver Fox is behind a wave of malicious emails aimed at organizations in Russia and India, targeting them with tax-themed message lures aimed at delivering a previously undocumented backdoor malware, as well as a remote access Trojan (RAT) that's already been widely wielded as part of the group's arsenal. The campaign, which began in December, surfaced with emails impersonating Indian tax authorities, and then expanded in January to target Russian organizations using similar tactics, according to a recent report by Kaspersky researchers.  "Both waves followed a nearly identical structure: phishing emails were styled as official notices regarding tax audits, or prompted users to download an archive containing a 'list of tax violations,'" Kaspersky researchers wrote in the report.  Inside the archive was a modified Rust-based loader pulled from a public repository, which would download and execute the well-known ValleyRAT backdoor. In some cases, the PDFs embedded links to attacker-controlled infrastructure hosting malicious ZIP or RAR files, the researchers said. The campaign also delivered a backdoor that the researchers hadn't seen before, dubbed "ABCDoor." Related:China's 'PlushDaemon' Hackers Infect Routers to Hijack Software Updates Kaspersky recorded more than 1,600 malicious messages within its telemetry related to the campaigns between early January and early February targeting various sectors — including industrial, consulting, retail, and transportation. Tax Scams Show Universal Reach Such tax scams are common in the US but apparently also have universal appeal for attackers looking to scam victims in other countries. That's likely because they target "a very human weakness," notes Rickard Carlsson, CEO of application security firm Detectify. "People behave differently when they think a government authority is involved,"  he tells Dark Reading. "An email about taxes, penalties, or an audit creates urgency before the victim has even opened the attachment." Indeed, social engineering in general remains an effective scam tactic, "because attackers only need one person to click once," he adds, while defenders "are expected to get everything right all the time, often across an attack surface that keeps changing as new tools, services, integrations, and cloud assets are added."  He adds, "On top of that, it is often impossible to fully lock systems down, as doing so would render them unusable for the business." ABCDoor: A Stealthy New Backdoor Malware As mentioned, successful attacks resulted in the delivery of various payloads, notably a previously undocumented Python backdoor called ABCDoor that Kaspersky discovered has been in use by Silver Fox since at least late 2024. Overall, it has been used "in real-world attacks from the first quarter of 2025 to the present day," the researchers wrote, even though it was just recently uncovered. Related:WhatsApp Leaks User Metadata to Attackers ABCDoor establishes persistence through Windows Registry Run keys and scheduled tasks, then communicates with its command-and-control (C2) servers over HTTPS using asynchronous Socket.IO messaging. Running under a legitimate pythonw.exe process to evade detection, the malware focuses less on traditional command execution and more on covert remote interaction capabilities, including multimonitor screen streaming via FFmpeg, remote mouse and keyboard control, clipboard theft, file operations, and limited file-encryption features.  The backdoor malware also supports self-updating and self-removal, collects extensive host metadata, and leaves forensic artifacts in the registry and %LOCALAPPDATA% directories that defenders can monitor for detection. Other payloads in the attacks include ValleyRAT, the use of which by Silver Fox already has been documented, and a customized version of the RustSL loader that's been heavily modified by the group to suit its own purposes, according to Kaspersky. Related:Two-Factor Authentication Breaks Free From the Desktop Expanding Geographic Reach for Cyberattacks Silver Fox is a China-backed threat group that's been active for a few years and has become a sort of Swiss Army knife of threat groups, with both diverse tactics, techniques, and procedures (TTPs) as well as motives for its attacks. While primarily aimed at cyberespionage and critical-infrastructure disruption, the group also at times conducts financially motivated attacks, a cross pollination that's been seen in North Korean threat actors but is rare for Chinese threat groups. While primarily focused on targeting organizations in Taiwan, North America and Japan also are home to some of Silver Fox's victims. The recent campaign is significant in that it shows the group expanding its regional focus for the first time to targets in Russia, the researchers noted.  Silver Fox also has added configurations for Japan for its specific implementation of RustSL loader, which itself is configured to operate in specific countries, the researchers noted. "Theoretically, the group could add other countries to this list in the future," they added. Email Vigilance Remains a Priority Though it may seem like a no-brainer, the campaign once again demonstrates how emails remain a weak link in organizations, even though — or perhaps because — employees have been training on email security issues for so long. Security teams must avoid complacence when it comes to email security across the corporate network. "This serves as another reminder of the critical need for vigilance and the thorough verification of all emails, even those purportedly from authoritative sources," the researchers wrote. "We recommend that organizations improve employee security awareness through regular training and educational courses." Indeed, the phishing email is "the front door" through which attackers can install backdoors to gain persistence and remote access, and earn time to explore the environment for future compromise, Detectify's Carlsson tells Dark Reading. "Small visibility gaps can become serious if an organization does not have a clear picture of which systems, exposed assets, and access paths exist," he says. For defenders, the lesson isn't just about training employees not to click, however, Carlsson warns. "Organizations have to adopt an 'assume breach' posture, operating under the reality that devices will eventually be compromised and plan accordingly," he says. The planning should include: email filtering, attachment and URL analysis, endpoint detection, least-privilege access, software execution controls, and continuous visibility into their external attack surface. Don't miss the latest Dark Reading Confidential podcast, NSA Chief During Snowden Affair Shares Regrets, Reflections 13 Years Later, for a candid conversation with Chris Inglis, head civilian in charge of the NSA during the Edward Snowden affair. Inglis reflects what the NSA should have done better, what he wants CISOs to know about protecting against their own insider threats, and what his reaction would be if Snowden received a pardon. Listen now! Read more about: DR Global Asia Pacific About the Author Elizabeth Montalbano Contributing Writer Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Enterprises Are Developing Secure Applications How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Ditch the Data Center: Understanding Flexible Cloud Infrastructure Security Management 2025 State of Malware Sysdig 2025 Cloud-Native Security and Usage Report Access More Research Webinars How Well Can You See What's in Your Cloud? Implementing CTEM: Beyond Vulnerability Management Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning Tips for Managing Cloud Security in a Hybrid Environment? Zero Trust Architecture for Cloud environments: Implementation Roadmap More Webinars You May Also Like ENDPOINT SECURITY 2 Separate Campaigns Probe Corporate LLMs for Secrets by Elizabeth Montalbano, Contributing Writer JAN 12, 2026 ENDPOINT SECURITY Pro-Russian Hackers Use Linux VMs to Hide in Windows by Alexander Culafi NOV 04, 2025 ENDPOINT SECURITY We've All Been Wrong: Phishing Training Doesn't Work by Nate Nelson, Contributing Writer JUL 01, 2025 ENDPOINT SECURITY Attackers Lace Fake GenAI Tools With Malware by Alexander Culafi, Senior News Writer, Dark Reading MAY 12, 2025 Editor's Choice CYBER RISK NSA Chief During Snowden Affair Shares Regrets, Reflections 13 Years Later byDark Reading Editorial Team APR 28, 2026 IDENTITY & ACCESS MANAGEMENT SECURITY Oracle Red Bull Racing Team Revs Up Automation to Boost Security byArielle Waldman APR 30, 2026 5 MIN READ CYBER RISK Claude Mythos Fears Startle Japan's Financial Services Sector byNate Nelson APR 30, 2026 5 MIN READ Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars How Well Can You See What's in Your Cloud? THURS, JUNE 4, 2026 AT 1:00PM EST Implementing CTEM: Beyond Vulnerability Management THURS, MAY 21, 2026 AT 1PM EST Defending Against AI-Powered Attacks: The Evolution of Adversarial Machine Learning MON, MAY 11, 2026 AT 1:00PM ET Tips for Managing Cloud Security in a Hybrid Environment? THURS, MAY 7, 2026 AT 1PM EST Zero Trust Architecture for Cloud environments: Implementation Roadmap TUES, MAY 12, 2026 AT 1PM EST More Webinars BLACK HAT ASIA | MARINA BAY SANDS, SINGAPORE Experience cutting-edge cybersecurity insights in this four-day event. Use code DARKREADING for a Free Business Pass or $200 off a Briefings Pass. GET YOUR PASS