{"id":2797,"date":"2026-04-30T07:04:02","date_gmt":"2026-04-30T07:04:02","guid":{"rendered":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/30\/silver-fox-uses-the-new-abcdoor-backdoor-to-target-organizations-in-russia-and-india\/"},"modified":"2026-04-30T07:04:02","modified_gmt":"2026-04-30T07:04:02","slug":"silver-fox-uses-the-new-abcdoor-backdoor-to-target-organizations-in-russia-and-india","status":"publish","type":"post","link":"https:\/\/blog.ibvl.in\/index.php\/2026\/04\/30\/silver-fox-uses-the-new-abcdoor-backdoor-to-target-organizations-in-russia-and-india\/","title":{"rendered":"Silver Fox uses the new ABCDoor backdoor to target organizations in Russia and India"},"content":{"rendered":"
\n

\"\"<\/p>\n

In December 2025, we detected a wave of malicious emails designed to look like official correspondence from the Indian tax service. A few weeks later, in January 2026, a similar campaign began targeting Russian organizations. We have attributed this activity to the Silver Fox threat group.<\/p>\n

Both waves followed a nearly identical structure: phishing emails were styled as official notices regarding tax audits or prompted users to download an archive containing a \u201clist of tax violations\u201d. Inside the archive was a modified Rust-based loader pulled from a public repository. This loader would download and execute the well-known ValleyRAT backdoor. The campaign impacted organizations across the industrial, consulting, retail, and transportation sectors, with over 1600 malicious emails recorded between early January and early February.<\/p>\n

During our investigation, we also discovered that the attackers were delivering a new ValleyRAT plugin to victim devices, which functioned as a loader for a previously undocumented Python-based backdoor. We have named this backdoor ABCDoor. Retrospective analysis reveals that ABCDoor has been part of the Silver Fox arsenal since at least late 2024 and has been utilized in real-world attacks from the first quarter of 2025 to the present day.<\/p>\n

Email campaign<\/h2>\n

In the January campaign, victims received an email purportedly from the tax service with an attached PDF file.<\/p>\n

\"Phishing<\/a><\/p>\n

Phishing email sent to victims in Russia<\/p>\n<\/div>\n

The PDF contained two clickable links to download an archive, both leading to a malicious website: abc.haijing88[.]com\/uploads\/\u0444\u043d\u0441\/\u0444\u043d\u0441.zip.<\/p>\n

\"Contents<\/a><\/p>\n

Contents of the PDF file from the January phishing wave<\/p>\n<\/div>\n

\"Contents<\/a><\/p>\n

Contents of the \u0444\u043d\u0441.zip archive<\/p>\n<\/div>\n

In the December campaign, the malicious code was embedded directly within the files attached to the email.<\/p>\n

\"Phishing<\/a><\/p>\n

Phishing email sent to victims in India<\/p>\n<\/div>\n

The email shown in the screenshot above was sent via the SendGrid cloud platform and contained an archive named ITD.-.rar<\/code>. Inside was a single executable file, Click File.exe, with an Adobe PDF icon (the RustSL loader).<\/p>\n

\"Contents<\/a><\/p>\n

Contents of ITD.-.rar<\/p>\n<\/div>\n

Additionally, in late December, emails were distributed with an attachment titled GST.pdf containing two links leading to hxxps:\/\/abc.haijing88[.]com\/uploads\/\u5370\u5ea6\u90ae\u7bb1\/CBDT.rar. (\u5370\u5ea6\u90ae\u7bb1 translates from Chinese as \u201cIndian mailbox\u201d).<\/p>\n

\"PDF<\/a><\/p>\n

PDF file from the phishing email<\/p>\n<\/div>\n

Both versions of the campaign attempt to exploit the perceived importance of tax authority correspondence to convince the victim to download the document and initiate the attack chain. The method of using download links within a PDF is specifically designed to bypass email security gateways; since the attached document only contains a link that requires further analysis, it has a higher probability of reaching the recipient compared to an attachment containing malicious code.<\/p>\n

RustSL loader<\/h2>\n

The attackers utilized a modified version of a Rust-based loader called RustSL, whose source code is publicly available on GitHub with a description in Chinese:<\/p>\n

\"Screenshot<\/a><\/p>\n

Screenshot of the description from the RustSL loader GitHub project<\/p>\n<\/div>\n

The description also refers to RustSL as an antivirus bypass framework, as it features a builder with extensive customization options:<\/p>\n