The China-linked threat group Silver Fox ran a phishing campaign that impersonated tax authorities in India and Russia to infect organizations with ValleyRAT and a newly documented Python backdoor, ABCDoor. Researchers said the activity began with fake tax notices sent as PDF attachments that directed victims to download a malicious archive. That archive contained a modified Rust-based loader, RustSL, which used geofencing, environment checks, stealth features, and persistence mechanisms before deploying ValleyRAT and then ABCDoor. More than 1,600 malicious emails were observed between early January and early February 2026, with victims spanning the industrial, consulting, retail, and transportation sectors.
Analysis tied ABCDoor to Silver Fox’s toolkit since at least late 2024, with confirmed operational use starting in early 2025. On infected Windows systems, the malware established persistence through the Run registry key and a scheduled task named AppClient, concealed files under C:\ProgramData\Tailscale, and abused pythonw.exe and ffmpeg.exe to blend in while enabling surveillance, remote interaction, module execution, command-and-control, and data exfiltration. Researchers also identified a new ValleyRAT plugin that acted as a loader for ABCDoor, showing the group is expanding a malware chain built for covert access and follow-on control.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
8 events from the most recent confirmed update back to the earliest known activity.
Security reporting published on 2026-05-05 detailed Silver Fox's use of ValleyRAT together with the newly documented ABCDoor backdoor. The reports described the malware chain, persistence methods, and use of a modified Rust-based loader in phishing attacks.
On publication of its report, Cisco Talos linked the South America and southeastern Europe government targeting to the China-nexus actor UAT-8302. Talos also assessed the group likely works closely with other Chinese-speaking or China-aligned clusters because of extensive tooling overlap.
Between early January and early February 2026, researchers observed more than 1,600 malicious emails tied to the Silver Fox campaign. The activity targeted organizations across multiple countries and industry sectors.
In January 2026, Silver Fox repeated the phishing operation against Russian targets using tax-themed audit notices. Organizations in industrial, consulting, retail, and transportation sectors were among those affected.
In December 2025, Silver Fox began sending phishing emails impersonating India's Income Tax Department to deliver malware. The infection chain used PDF lures linking to malicious archives that deployed a Rust-based loader and ultimately ValleyRAT.
Cisco Talos attributed additional 2025 activity by UAT-8302 to intrusions against government agencies in southeastern Europe. Researchers said the actor used shared malware such as NetDraft, CloudSorcerer, SNOWLIGHT, SNOWRUST, Deed RAT, Zingdoor, and Draculoader.
Kaspersky assessed that the newly documented Python-based backdoor ABCDoor had been in Silver Fox's malware arsenal since at least 2024-12-19, with likely toolkit presence beginning in late 2024. This predates the later phishing campaigns in India and Russia.
Cisco Talos said the China-nexus cluster UAT-8302 has targeted government entities in South America since late 2024. The campaign involved post-exploitation activity using shared China-aligned tooling including NetDraft and other malware families.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
3 references tracked. Mallory keeps watching after this page renders.
cybersecuritynews.com
Open sourcethehackernews.com
Open sourcescworld.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.