MalwareUsed by 1 actor

RustSL

RustSL is a Rust-based modular shellcode loader and antivirus/EDR bypass framework. The provided content describes it as an open-source project with a PyQt5 GUI, plugin-based extensibility, configurable Cargo features, multiple shellcode encoding and encryption options, numerous memory allocation and execution techniques, anti-sandbox and anti-VM checks, and syscall-based execution including indirect and VEH syscalls. It supports payload loading from embedded data, local files, named pipes, mailslots, and remote URLs, and is intended to generate stealthy loaders through static linking, compiler optimizations, stripped binaries, and optional signature/icon changes.

The content also states that threat actors, specifically the Silver Fox group, used modified RustSL variants in phishing campaigns observed from late December 2025 through January 2026. In these campaigns, tax-themed phishing emails impersonating Indian and Russian authorities delivered ZIP or RAR archives containing executables disguised as PDF files. Those executables were modified RustSL loaders that unpacked encrypted payloads, performed environment checks and country-based geofencing, and then downloaded and executed ValleyRAT; in some cases the broader infection chain also led to ABCDoor deployment via ValleyRAT plugins. Reported targeted sectors included industrial, consulting, trade/retail, and transportation organizations.

High-confidence modifications attributed to Silver Fox include added modules named steganography.rs for payload unpacking and guard.rs for environment checks and geofencing. The modified loaders extracted encrypted payloads delimited by <RSL_START> and <RSL_END> and commonly used the hard-coded key RSL_STEG_2025_KEY. Observed geolocation checks queried ip-api.com, ipwho.is, ipinfo.io, ipapi.co, and www.geoplugin.net, with execution allowed for systems in India, Indonesia, South Africa, Russia, Cambodia, and later Japan. At least one sample implemented Phantom Persistence. Specific sample MD5s mentioned in the content are e6362a81991323e198a463a8ce255533 and 2c5a1dd4cb53287fe0ed14e0b7b7b1b7.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

Silver Fox

Злоумышленники использовали модифицированную версию Rust-загрузчика под названием RustSL... APT-группа Silver Fox впервые стала применять модифицированную версию RustSL в конце декабря 2025 года.

via securelist rusecurelist.ru

MITRE ATT&CK

Techniques & procedures

13 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

3 techniques

T1566PhishingEvidence4

TacticInitial Access

The activity involved using phishing emails that mimic correspondence from the Income Tax Department of India in December 2025, followed by a similar campaign aimed at Russian entities.

T1566.001Spearphishing AttachmentEvidence3

TacticInitial Access

Обе волны имели почти идентичную структуру: фишинговые письма оформлялись как официальные уведомления о проведении налоговых проверок или предлагали загрузить архив с «перечнем налоговых нарушений»... В декабрьской рассылке вредоносный код содержался непосредственно в приложенных к письму файлах.

T1566.002Spearphishing LinkEvidence5

TacticInitial Access

В январской рассылке жертвам приходило письмо якобы от налоговой службы с вложенным PDF-файлом... В PDF-файле присутствовали две кликабельные ссылки для загрузки архива, ведущие на вредоносный ресурс.

Execution

2 techniques

T1204User ExecutionEvidence2

TacticExecution

Оба варианта рассылки пытаются сыграть на важности писем от налоговых органов, чтобы убедить жертву скачать документ и запустить цепочку атаки.

T1574Hijack Execution FlowEvidence2

TacticsExecution Stealth

загрузчик, собранный 7 января 2026 года ... стал закрепляться, используя свежую технику Phantom Persistence... Hijack logic : Shutdown signal -> Abort shutdown -> Restart with EWX_RESTARTAPPS

Persistence

1 technique

T1547Boot or Logon Autostart ExecutionEvidence1

TacticsPersistence Privilege Escalation

The attackers intercept the system shutdown signal, halt the normal shutdown sequence, and trigger a reboot under the guise of an update for the malware. Consequently, the loader forces the system to execute it upon OS startup.

Privilege Escalation

1 technique

T1547Boot or Logon Autostart ExecutionEvidence1

TacticsPersistence Privilege Escalation

Stealth

5 techniques

T1027Obfuscated Files or InformationEvidence1

TacticStealth

оригинальная версия RustSL по умолчанию шифрует все строки и добавляет мусорные инструкции для усложнения анализа... Запускаемый JS-скрипт сильно обфусцирован

T1036MasqueradingEvidence4

TacticStealth

Цепочка заражения начинается с того, что пользователь запускает исполняемый файл ... с иконкой PDF- или Excel-файла.

T1497Virtualization/Sandbox EvasionEvidence4

TacticsStealth Discovery

guard.rs... реализует различные проверки среды и страны запуска. В самых первых образцах загрузчиков ... использовала все доступные методы обнаружения виртуальных машин и песочниц

T1497.001System ChecksEvidence3

TacticsStealth Discovery

В более поздних версиях осталась только геолокационная проверка... Для определения страны Silver Fox RustSL отправлял запросы на пять публичных сервисов

T1574Hijack Execution FlowEvidence2

TacticsExecution Stealth

Discovery

4 techniques

T1497Virtualization/Sandbox EvasionEvidence4

TacticsStealth Discovery

T1497.001System ChecksEvidence3

TacticsStealth Discovery

T1614System Location DiscoveryEvidence1

TacticDiscovery

Another module added to Silver Fox RustSL is guard.rs. It implements various environment checks and country-based geofencing.

T1614.001System Language DiscoveryEvidence1

TacticDiscovery

The end goal of the Silver Fox RustSL variant is to unpack the encrypted malicious payload, while implementing country-based geofencing... While the GitHub variant only includes China in its country list, the bespoke version features India, Indonesia, South Africa, Russia, and Cambodia.

Command and Control

1 technique

T1105Ingress Tool TransferEvidence5

TacticCommand and Control

Он скачивал и запускал известный бэкдор ValleyRAT... модуль пытался несколькими способами загрузить с жестко закодированного адреса архив размером 52,5 МБ.

INDICATORS OF COMPROMISE

IOCs tracked for this family

55 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

11 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes

43 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other

1 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting

domain●●●●●●●●●●●●View more in app1 month ago

hash.md5●●●●●●●●●●●●View more in app1 month ago

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app

cyber security newsNews

May 5, 2026

Silver Fox Uses Fake Tax Notices to Deploy ValleyRAT and New ABCDoor Backdoor

RustSL is a modified Rust-based loader adapted by Silver Fox from a public GitHub repository. The customized version includes steganography-based payload unpacking, environment checks, and country-based geofencing. It disguises itself with PDF or Excel icons, loads encrypted shellcode, downloads ValleyRAT components, and implements 'Phantom Persistence' by intercepting shutdown signals and forcing reboot-based re-execution.

scworldNews

May 5, 2026

Silver Fox expands Asia cyber campaign with new ABCDoor malware | brief | SC Media

An open-source shellcode loader whose modified variant unpacks encrypted malicious payloads, performs geofencing and environment checks, establishes persistence via Phantom Persistence, and downloads ValleyRAT.

the hacker newsNews

May 4, 2026

Silver Fox Deploys ABCDoor Malware via Tax-Themed Phishing in India and Russia

An open-source shellcode loader and antivirus bypass framework modified by Silver Fox to unpack encrypted payloads, apply geofencing, perform VM/sandbox checks, establish persistence in some variants, and download/execute ValleyRAT.

securelist ruNews

Apr 30, 2026

Разбираем “налоговую” кампанию Silver Fox и новый бэкдор ABCDoor | Securelist

Rust-based loader adapted by Silver Fox for phishing campaigns. It decrypts and launches payloads, performs geofencing and environment checks, supports multiple payload encodings, can fetch encrypted payloads from local archives or remote resources, and in some samples uses Phantom Persistence to survive reboot.

+1 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching55

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping13

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.