A cyber campaign attributed to the China based threat group known as Silver Fox has been identified targeting organizations in India and Russia through phishing attacks designed to deliver malware payloads. Security researchers have linked the activity to the deployment of a previously known backdoor ValleyRAT along with a newly identified malware variant named ABCDoor. The campaign reflects a continued pattern of targeted phishing operations aimed at exploiting trust based communication channels and leveraging social engineering techniques to compromise organizational systems across multiple regions.
According to findings shared by Kaspersky, the attack campaign initially focused on Indian entities in December 2025, where phishing emails were crafted to resemble official communication from the Income Tax Department of India. These messages were designed to appear as legitimate audit notices or alerts related to tax compliance issues, prompting recipients to download an attached archive file. The campaign later extended to organizations in Russia, maintaining a similar structure and delivery method. In both cases, the emails were tailored to create a sense of urgency and authenticity, increasing the likelihood of user interaction with malicious content.
The archive files distributed through these phishing emails contained a modified Rust based loader sourced from a publicly available repository. Once executed, this loader facilitated the download and installation of the ValleyRAT backdoor, which has been previously associated with remote access capabilities and data exfiltration activities. In addition to ValleyRAT, researchers identified the use of ABCDoor, a newer malware component linked to the same threat campaign. The presence of multiple payloads indicates a layered approach to system compromise, where attackers deploy different tools to establish persistence, maintain control, and potentially expand access within targeted environments.
The campaign demonstrates a consistent operational pattern in which attackers rely on tax themed lures and official looking communications to gain initial access. By mimicking government institutions and regulatory notices, the threat actors increase the credibility of their messages and reduce suspicion among recipients. The use of Rust based loaders also reflects an evolving technical approach, as such tools can be adapted and modified to bypass detection mechanisms. Researchers noted that both waves of the campaign followed nearly identical structures, highlighting a repeatable framework that can be scaled across different geographic targets.
The activity attributed to Silver Fox underscores ongoing challenges faced by organizations in defending against phishing based intrusion attempts and malware distribution campaigns. The combination of social engineering tactics, adaptable malware delivery mechanisms, and cross region targeting reflects a coordinated effort to exploit vulnerabilities in user behavior and system defenses. Security experts continue to emphasize the importance of awareness, email filtering, and endpoint protection measures to reduce exposure to such threats, particularly in environments where sensitive data and operational systems are at risk of unauthorized access.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
