China-Linked Silver Fox APT Expands Campaign, Deploys New ABCDoor Malware via Tax-Themed Phishing

Executive Summary

The China-affiliated Advanced Persistent Threat (APT) group known as Silver Fox has been observed conducting a new wave of cyber-espionage attacks. According to research from Kaspersky, the campaign, which started in December 2025, has expanded the group's typical geographical focus to include targets in India and Russia. The attackers employ socially engineered phishing emails with tax-themed lures, timed to coincide with regional tax seasons, to deliver their malware. The multi-stage infection process ultimately deploys two backdoors: the known ValleyRAT and a new, previously unseen Python-based backdoor dubbed ABCDoor. The campaign has impacted multiple sectors, including industrial, consulting, retail, and transportation.

Threat Overview

The attack is a classic phishing campaign designed to gain initial access and deploy backdoors for long-term espionage.

1. Initial Access (Phishing): The campaign begins with phishing emails tailored to the target region. The emails use lures related to national tax authorities and contain malicious attachments.
   • India Campaign (Dec 2025): Emails contained RAR archives with executables disguised with PDF icons.
   • Russia Campaign (Jan 2026): Emails used PDF attachments with external links that downloaded a malicious ZIP archive, a technique to bypass email gateways.
2. Loader Execution: The initial executable is a modified version of RustSL, an open-source shellcode loader written in Rust. It performs environment checks before proceeding.
3. Payload Delivery: The RustSL loader downloads and executes the primary payload, ValleyRAT.
4. Secondary Payload: ValleyRAT is then used to deliver the final payload, the new ABCDoor backdoor, which provides capabilities for data exfiltration and remote control.

Technical Analysis

The Silver Fox group demonstrates tactical agility by adapting its phishing methods for different target regions. The use of PDF files with external links against Russian targets is a deliberate attempt to evade security scanners that might block direct executable attachments but are less likely to flag a PDF.

The use of a multi-stage malware deployment is a common APT tactic. RustSL acts as a lightweight, evasive first stage. ValleyRAT provides a flexible, modular platform for C2 and further actions. The introduction of ABCDoor, a new Python-based backdoor, suggests the group is actively developing its toolkit to evade signature-based detection.

MITRE ATT&CK Techniques Observed:

• T1566.001 - Phishing: Spearphishing Attachment: Using malicious RAR and ZIP archives in emails.
• T1566.002 - Phishing: Spearphishing Link: Using links within PDF attachments to download malware.
• T1204.002 - User Execution: Malicious File: Relies on the user opening the malicious file from the archive.
• T1105 - Ingress Tool Transfer: Downloading ValleyRAT and ABCDoor after initial access.
• T1059.006 - Command and Scripting Interpreter: Python: ABCDoor is a Python-based backdoor.
• T1027 - Obfuscated Files or Information: Using modified open-source loaders like RustSL to evade detection.

Impact Assessment

The primary goal of the Silver Fox APT is likely intelligence gathering for economic or state advantage. By targeting industrial, consulting, and transportation sectors, the group may be seeking to steal intellectual property, trade secrets, or sensitive business information. The high volume of phishing emails (over 1,600 in two months) indicates a broad and persistent campaign. A successful compromise by ABCDoor or ValleyRAT would give the attackers long-term access to a victim's network, allowing for extensive data exfiltration and monitoring.

Detection & Response

• Email Security: Enhance email gateway filtering to better detect and quarantine emails with malicious archives (RAR, ZIP) or PDFs containing suspicious external links. Use sandboxing to analyze attachments before delivery.
• Process Analysis (D3-PA): Monitor for the execution of unsigned executables from temporary directories or user download folders. EDR solutions should be configured to alert on processes that exhibit loader-like behavior, such as allocating executable memory and writing to it.
• Network Traffic Analysis (D3-NTA): Identify and baseline C2 traffic from known RATs like ValleyRAT. Look for suspicious outbound connections from processes that should not be communicating with the internet.
• Endpoint Detection: Deploy EDR rules to detect the execution of Python scripts from unusual locations or by unexpected parent processes, which could indicate the presence of ABCDoor.

Mitigation

• User Training: This is the most critical mitigation for phishing attacks. Train employees to be suspicious of unsolicited emails, especially those with urgent calls to action related to sensitive topics like taxes or finances. Teach them to never open attachments or click links from unknown senders and to report suspicious emails.
• Application Hardening (D3-AH): Configure email clients and office applications to block or warn users about opening certain file types or content with external links.
• Executable Denylisting (D3-EDL): Use application control to prevent the execution of unauthorized executables, scripts, and loaders. This can block the initial RustSL payload from running.
• Endpoint Protection: Ensure that antivirus and EDR solutions are up-to-date and configured to detect and block known RATs like ValleyRAT and suspicious Python execution.