CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Silver Fox APT expands ABCDoor backdoor operations with RustSL loader and tax-themed phishing targeting India, Russia, and additional regions

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

Silver Fox continues tax-themed phishing operations targeting Indian and Russian organizations, with a newly detailed payload set that includes the ABCDoor backdoor and refined persistence and command-and-control techniques. The campaign began in December 2025 with emails impersonating Indian tax authorities, expanding in January 2026 to target Russian entities using identical tax-audit lures. Kaspersky observed over 1,600 malicious emails across industrial, consulting, retail, and transportation sectors between January and February 2026. Payloads delivered via RustSL loaders include the ValleyRAT backdoor and the previously undocumented ABCDoor Python-based backdoor, which has been active in real-world attacks since Q1 2025. ABCDoor leverages Windows Registry Run keys and scheduled tasks for persistence, communicates over HTTPS using Socket.IO, and supports covert remote control features such as multi-monitor screen streaming and clipboard theft. The backdoor also supports self-updating, self-removal, and extensive host metadata collection, leaving detectable forensic artifacts in the registry and %LOCALAPPDATA%. The campaign’s geographic scope continues to expand, with RustSL configurations now including Japan alongside India, Russia, Indonesia, South Africa, and Cambodia. Silver Fox’s targeting now spans China, Taiwan, Japan, India, Russia, Indonesia, South Africa, and Cambodia, reflecting a broadening operational footprint beyond its historical focus.

Timeline

  1. 04.05.2026 14:57 2 articles · 23h ago

    Silver Fox deploys ABCDoor backdoor via RustSL loader in tax-themed phishing campaigns targeting India and Russia

    In December 2025 and early 2026, Silver Fox conducted phishing campaigns using tax-themed lures to deliver RustSL loaders that deploy ValleyRAT and ABCDoor backdoors. The campaign targeted industrial, consulting, retail, and transportation sectors in India and Russia, with over 1,600 emails observed between January–February 2026. Attack chains involved ZIP/RAR archives hosted on abc.haijing88[.]com containing RustSL variants that perform geofencing and sandbox evasion. New technical details from Kaspersky reveal that ABCDoor uses Windows Registry Run keys and scheduled tasks for persistence, communicates with C2 over HTTPS via asynchronous Socket.IO messaging under a legitimate pythonw.exe process, supports multi-monitor screen streaming via FFmpeg, remote mouse and keyboard control, clipboard theft, file operations, and limited file-encryption features. ABCDoor also supports self-updating and self-removal, collects extensive host metadata, and leaves forensic artifacts in the registry and %LOCALAPPDATA% directories. Infection vectors expanded to include PDFs embedding links to attacker-controlled infrastructure hosting malicious ZIP or RAR files.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

APT24 Utilizes BadAudio Malware in Multi-Year Espionage Campaign

APT24, a China-linked threat group, has been using previously undocumented BadAudio malware in a nearly three-year espionage campaign targeting Windows systems. The campaign, active since November 2022, employed various attack methods including spearphishing, supply-chain compromise, and watering hole attacks. The malware is heavily obfuscated and uses sophisticated techniques to evade detection and hinder analysis. From November 2022 to at least September 2025, APT24 compromised over 20 legitimate websites to inject malicious JavaScript code, targeting specific visitors. Starting July 2024, the group compromised a Taiwanese digital marketing company, injecting malicious JavaScript into widely used libraries, affecting over 1,000 domains. Additionally, APT24 launched spearphishing operations using emails impersonating animal rescue organizations and leveraging cloud services for malware distribution. The BadAudio malware collects system details, communicates with a hard-coded C2 server, and executes payloads in memory using DLL sideloading. Despite its prolonged use, the malware remained largely undetected, with only a few samples flagged by antivirus engines. APT24 has been active since at least 2008, targeting various sectors including government, healthcare, construction, and telecommunications. The group is closely related to the Earth Aughisky group, which has also deployed Taidoor and Specas malware.

Open in new tab

Silver Fox Expands Winos 4.0 Attacks to Japan and Malaysia with HoldingHands RAT

The Silver Fox threat group has expanded its Winos 4.0 attacks to target Japan and Malaysia using the HoldingHands RAT. This campaign involves phishing emails with malicious PDFs and exploits SEO poisoning to distribute malware. The group has been active since at least March 2024, targeting various sectors in China, Taiwan, Japan, and Malaysia. The malware employs sophisticated techniques to evade detection and maintain persistence on compromised systems. The HoldingHands RAT is designed to connect to a remote server, send host information, and execute commands from the attacker. It includes features to update the command-and-control (C2) address via a Windows Registry entry. The malware is equipped to capture sensitive information, run arbitrary commands, and download additional payloads. The group has also been linked to Operation Silk Lure, targeting Chinese fintech, cryptocurrency, and trading platform sectors with highly targeted phishing emails containing malicious .LNK files.

Open in new tab

Espionage Campaign Targeting Eastern Asia via Sogou Zhuyin Update Server Hijacking

An abandoned update server for the Sogou Zhuyin input method editor (IME) software was hijacked by threat actors to distribute malware in an espionage campaign. The campaign, codenamed TAOTH, primarily targets users in Eastern Asia, including dissidents, journalists, researchers, and technology/business leaders. The malware families deployed include C6DOOR, GTELAM, DESFY, and TOSHIS, which enable remote access, information theft, and backdoor functionality. The attack chain begins with a compromised update process that fetches malicious payloads from a hijacked domain. The campaign was identified in June 2025, with the domain hijacking occurring in October 2024. The malware families were first detected between December 2024 and May 2025. The primary targets are in Taiwan, accounting for 49% of all targets, followed by Cambodia and the U.S. The attackers also used phishing websites and fake cloud storage pages to distribute TOSHIS. The TAOTH campaign shares infrastructure and tooling overlap with previously documented threat activity by ITOCHU, indicating a persistent threat actor focused on reconnaissance, espionage, and email abuse.

Open in new tab