Silver Fox Springs Tax-Themed Attacks on Orgs in India, Russia TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsСloud SecurityHackers Use AI for Exploit Development, Attack AutomationHackers Use AI for Exploit Development, Attack AutomationbyAlexander CulafiMay 11, 20264 Min ReadСloud SecurityAfter Replacing TeamPCP Malware, 'PCPJack' Steals Cloud SecretsAfter Replacing TeamPCP Malware, 'PCPJack' Steals Cloud SecretsbyNate NelsonMay 7, 20265 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificLatin AmericaSee AllThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryEndpoint SecurityThreat IntelligenceRemote WorkforceCyberattacks & Data BreachesNewsBreaking cybersecurity news, news analysis, commentary, and other content from around the world, with an initial focus on the Middle East & Africa and the Asia PacificSilver Fox Springs Tax-Themed Attacks on Orgs in India, RussiaMore than 1,600 socially engineered messages from the China-backed advanced persistent threat (APT) group target various sectors to deliver the previously undocumented ABCDoor backdoor, ValleyRAT, and other malware.Elizabeth Montalbano,Contributing WriterMay 4, 20265 Min ReadAmbquinn via ShutterstockChinese threat actor Silver Fox is behind a wave of malicious emails aimed at organizations in Russia and India, targeting them with tax-themed message lures aimed at delivering a previously undocumented backdoor malware, as well as a remote access Trojan (RAT) that's already been widely wielded as part of the group's arsenal.The campaign, which began in December, surfaced with emails impersonating Indian tax authorities, and then expanded in January to target Russian organizations using similar tactics, according to a recent report by Kaspersky researchers. "Both waves followed a nearly identical structure: phishing emails were styled as official notices regarding tax audits, or prompted users to download an archive containing a 'list of tax violations,'" Kaspersky researchers wrote in the report. Inside the archive was a modified Rust-based loader pulled from a public repository, which would download and execute the well-known ValleyRAT backdoor. In some cases, the PDFs embedded links to attacker-controlled infrastructure hosting malicious ZIP or RAR files, the researchers said. The campaign also delivered a backdoor that the researchers hadn't seen before, dubbed "ABCDoor."Related:China's 'PlushDaemon' Hackers Infect Routers to Hijack Software UpdatesKaspersky recorded more than 1,600 malicious messages within its telemetry related to the campaigns between early January and early February targeting various sectors — including industrial, consulting, retail, and transportation.Tax Scams Show Universal ReachSuch tax scams are common in the US but apparently also have universal appeal for attackers looking to scam victims in other countries. That's likely because they target "a very human weakness," notes Rickard Carlsson, CEO of application security firm Detectify."People behave differently when they think a government authority is involved,"  he tells Dark Reading. "An email about taxes, penalties, or an audit creates urgency before the victim has even opened the attachment."Indeed, social engineering in general remains an effective scam tactic, "because attackers only need one person to click once," he adds, while defenders "are expected to get everything right all the time, often across an attack surface that keeps changing as new tools, services, integrations, and cloud assets are added." He adds, "On top of that, it is often impossible to fully lock systems down, as doing so would render them unusable for the business."ABCDoor: A Stealthy New Backdoor MalwareAs mentioned, successful attacks resulted in the delivery of various payloads, notably a previously undocumented Python backdoor called ABCDoor that Kaspersky discovered has been in use by Silver Fox since at least late 2024. Overall, it has been used "in real-world attacks from the first quarter of 2025 to the present day," the researchers wrote, even though it was just recently uncovered.Related:VoidStealer Malware Darts Past Google Chrome's EncryptionABCDoor establishes persistence through Windows Registry Run keys and scheduled tasks, then communicates with its command-and-control (C2) servers over HTTPS using asynchronous Socket.IO messaging. Running under a legitimate pythonw.exe process to evade detection, the malware focuses less on traditional command execution and more on covert remote interaction capabilities, including multimonitor screen streaming via FFmpeg, remote mouse and keyboard control, clipboard theft, file operations, and limited file-encryption features. The backdoor malware also supports self-updating and self-removal, collects extensive host metadata, and leaves forensic artifacts in the registry and %LOCALAPPDATA% directories that defenders can monitor for detection.Other payloads in the attacks include ValleyRAT, the use of which by Silver Fox already has been documented, and a customized version of the RustSL loader that's been heavily modified by the group to suit its own purposes, according to Kaspersky.Related:WhatsApp Leaks User Metadata to AttackersExpanding Geographic Reach for CyberattacksSilver Fox is a China-backed threat group that's been active for a few years and has become a sort of Swiss Army knife of threat groups, with both diverse tactics, techniques, and procedures (TTPs) as well as motives for its attacks. While primarily aimed at cyberespionage and critical-infrastructure disruption, the group also at times conducts financially motivated attacks, a cross pollination that's been seen in North Korean threat actors but is rare for Chinese threat groups.While primarily focused on targeting organizations in Taiwan, North America and Japan also are home to some of Silver Fox's victims. The recent campaign is significant in that it shows the group expanding its regional focus for the first time to targets in Russia, the researchers noted. Silver Fox also has added configurations for Japan for its specific implementation of RustSL loader, which itself is configured to operate in specific countries, the researchers noted. "Theoretically, the group could add other countries to this list in the future," they added.Email Vigilance Remains a PriorityThough it may seem like a no-brainer, the campaign once again demonstrates how emails remain a weak link in organizations, even though — or perhaps because — employees have been training on email security issues for so long. Security teams must avoid complacence when it comes to email security across the corporate network."This serves as another reminder of the critical need for vigilance and the thorough verification of all emails, even those purportedly from authoritative sources," the researchers wrote. "We recommend that organizations improve employee security awareness through regular training and educational courses."Indeed, the phishing email is "the front door" through which attackers can install backdoors to gain persistence and remote access, and earn time to explore the environment for future compromise, Detectify's Carlsson tells Dark Reading. "Small visibility gaps can become serious if an organization does not have a clear picture of which systems, exposed assets, and access paths exist," he says.For defenders, the lesson isn't just about training employees not to click, however, Carlsson warns. "Organizations have to adopt an 'assume breach' posture, operating under the reality that devices will eventually be compromised and plan accordingly," he says. The planning should include: email filtering, attachment and URL analysis, endpoint detection, least-privilege access, software execution controls, and continuous visibility into their external attack surface.Don't miss the latest Dark Reading Confidential podcast, NSA Chief During Snowden Affair Shares Regrets, Reflections 13 Years Later, for a candid conversation with Chris Inglis, head civilian in charge of the NSA during the Edward Snowden affair. Inglis reflects what the NSA should have done better, what he wants CISOs to know about protecting against their own insider threats, and what his reaction would be if Snowden received a pardon. Listen now!Read more about:DR Global Asia PacificAbout the AuthorElizabeth MontalbanoContributing WriterElizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.See more from Elizabeth MontalbanoWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsHow Enterprises Are Developing Secure ApplicationsInside RSAC 2026: security leaders reveal the risks redefining your defense strategyHow Enterprises Are Harnessing Emerging Technologies in CybersecurityDitch the Data Center: Understanding Flexible Cloud Infrastructure Security Management2025 State of MalwareAccess More ResearchWebinarsThe New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspacePrompt Injection Is Just the Start: Securing LLMs in AI SystemsAnatomy of a Data Breach: What to Do if it Happens to YouHow Well Can You See What's in Your Cloud?Implementing CTEM: Beyond Vulnerability ManagementMore WebinarsEditor's ChoiceThreat IntelligenceFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberbyDark Reading Editorial TeamMay 6, 202631 Min ReadCyber RiskPhysical Cargo Theft Gets a Boost From CybercriminalsPhysical Cargo Theft Gets a Boost From CybercriminalsbyRobert LemosMay 4, 20265 Min ReadWant more Dark Reading stories in your Google search results?Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeRSAC 2026: key news & insightsAt RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much moreGet Your RecapWebinarsThe New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspaceWed, June 24,2026 at 1pm ESTPrompt Injection Is Just the Start: Securing LLMs in AI SystemsTues, May 26, 2026, at 1pm ESTAnatomy of a Data Breach: What to Do if it Happens to YouJune 18th, 2026 | 11:00am -5:00pm ET | Doors Open at 10:30am ETHow Well Can You See What's in Your Cloud?Thurs, June 4, 2026 at 1:00pm ESTImplementing CTEM: Beyond Vulnerability ManagementThurs, May 21, 2026 at 1pm ESTMore WebinarsBlack Hat USA | Mandalay Bay, Las VegasThe premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass.GET YOUR PASSDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of UseYour Privacy Choices

Silver Fox, a China-backed advanced persistent threat (APT) group, has launched targeted attacks against organizations in Russia and India, utilizing tax-themed phishing emails to deliver malware. The campaign, initiated in December 2026 and expanding to Russia in January, employed deceptive lures mimicking official tax notices and requests for information regarding tax violations. These emails prompted recipients to download archives containing malicious payloads, primarily the ValleyRAT backdoor and a newly discovered backdoor dubbed "ABCDoor." The ABCDoor malware, introduced in late 2024, functions as a stealthy Python backdoor, utilizing Windows Registry Run keys and scheduled tasks, communicating via HTTPS with asynchronous Socket.IO messaging and employing FFmpeg for screen streaming. It harvests extensive host metadata and leaves forensic artifacts, exhibiting capabilities including remote mouse and keyboard control and limited file encryption. Kaspersky researchers recorded over 1,600 malicious messages related to these campaigns between early January and early February, targeting various sectors including industrial, consulting, retail, and transportation. Elizabeth Montalbano highlights the group’s broader TTPs, noting its diverse capabilities and occasional foray into financially motivated attacks, operating across regions including Taiwan, North America, and Japan. The campaign underscores the continued vulnerability of email as a primary attack vector, driven by human behavior and the difficulty of comprehensive defense across evolving attack surfaces. Defenders are advised to prioritize vigilance, meticulous email verification and to adopt an “assume breach” posture, integrating controls like email filtering, endpoint detection, and least-privilege access to mitigate the risk posed by Silver Fox’s evolving tactics.