Silver Fox Springs Tax-Themed Attacks on Orgs in India, Russia

Tax‑related phishing remains a potent weapon because it exploits the authority and urgency associated with government notices. In the Silver Fox campaign, attackers crafted emails that mimicked Indian tax agencies before extending the same lure to Russian entities. By embedding malicious archives labeled as "list of tax violations," they coaxed recipients into opening PDFs that linked to ZIP or RAR files. This approach leverages a universal psychological trigger—fear of penalties—making it effective across borders and industries, from manufacturing to retail.

Technically, the payload chain began with a Rust‑based loader pulled from a public repository, which fetched and executed the ValleyRAT remote‑access Trojan. More notable was the introduction of ABCDoor, a Python‑based backdoor first seen in late 2024. ABCDoor establishes persistence through Windows Registry Run keys and scheduled tasks, communicates over HTTPS via Socket.IO, and runs under a legitimate pythonw.exe process to evade detection. Its capabilities include multimonitor screen streaming, remote input control, clipboard theft, file manipulation, and limited encryption, while supporting self‑updates and clean removal. The presence of both a known RAT and a novel backdoor underscores the group’s modular toolkit and adaptability.

For defenders, the campaign is a reminder that email remains the weakest link despite ongoing awareness training. Organizations should adopt an "assume breach" posture, integrating advanced email filtering, attachment sandboxing, and endpoint detection and response (EDR) solutions. Continuous monitoring of registry changes, scheduled tasks, and anomalous HTTPS traffic can surface ABCDoor activity early. Moreover, the geographic expansion to Russia signals that threat actors are increasingly flexible in targeting new regions, prompting security teams to broaden threat‑intel coverage and regularly update country‑specific detection rules. Proactive user education combined with layered technical controls offers the best chance to thwart such socially engineered attacks.