Silver Fox uses fake tax notices to spread ValleyRAT and new ABCDoor backdoor

Silver Fox is using fake tax authority notices to infect organizations with ValleyRAT and a newly documented Python-based backdoor called ABCDoor.

The campaign first appeared in December 2025 with phishing emails impersonating India’s tax service. A similar wave followed in January 2026 against Russian organizations.

The emails were designed to look like official tax audit notices or warnings about alleged tax violations. Victims were pushed to download an archive that appeared to contain a list of tax problems, but it actually started a multi-stage malware chain.

What makes this campaign dangerous

This campaign works because it uses pressure instead of technical complexity at the start. Employees often take tax notices seriously, especially when a message suggests penalties, audits, or official action.

Kaspersky researchers linked the activity to Silver Fox and said more than 1,600 malicious emails were recorded between early January and early February 2026. The targets included organizations in industrial, consulting, retail, and transportation sectors.

The attack also shows how Silver Fox continues to expand its toolkit. ValleyRAT was already associated with the group, but ABCDoor adds a stealthier backdoor focused on remote control, screen viewing, clipboard theft, and file operations.

Campaign detail	What researchers found
Threat group	Silver Fox
Main lure	Fake tax audit notices and tax violation warnings
Initial targets	Organizations in India and Russia
Known activity	December 2025 and January 2026 phishing waves
Malware delivered	ValleyRAT and ABCDoor
Loader used	Modified RustSL loader

How the phishing emails worked

The phishing emails carried PDF files that looked like tax-related documents. Instead of embedding malware directly, the PDFs contained links that led victims to ZIP or RAR archives hosted on attacker-controlled infrastructure.

This approach can help attackers avoid basic email security checks. A PDF with links may look less suspicious than an email with an executable attachment, even though the final result can be just as harmful.

Inside the archive, victims found a file disguised with a PDF or Excel-style icon. When opened, it launched a customized version of RustSL, a Rust-based loader originally available from a public GitHub repository.

From RustSL to ValleyRAT

Silver Fox modified RustSL to better fit its campaign. The custom version added payload unpacking, anti-analysis checks, and country-based geofencing.

Early customized builds checked whether the infected device was in India, Indonesia, South Africa, Russia, or Cambodia. A later sample added Japan to the allowed country list.

After the checks passed, the loader decrypted and ran shellcode. That shellcode downloaded a ValleyRAT module, which then connected to command-and-control servers and waited for further instructions.

• The victim receives a fake tax email.
• The PDF attachment contains a download link.
• The link downloads a ZIP or RAR archive.
• The archive contains a disguised executable.
• The executable launches Silver Fox RustSL.
• RustSL downloads and runs ValleyRAT.
• ValleyRAT loads a plugin that installs ABCDoor.

ABCDoor adds a new layer to the attack

ABCDoor is a previously undocumented Python-based backdoor. Kaspersky named it ABCDoor because most of its command-and-control addresses used an “abc” third-level domain pattern.

Retrospective analysis showed that ABCDoor had existed since at least late 2024. Researchers also found it had been used in real attacks from the first quarter of 2025 onward.

The backdoor is compiled with Cython and runs through a legitimate pythonw.exe process. That makes it less obvious to users and can help the malware stay active quietly on infected Windows systems.

ABCDoor capability	Impact on the victim
Screen streaming	Lets attackers view the victim’s screen, including multiple monitors in newer versions
Clipboard theft	Can steal copied text, including passwords, tokens, and sensitive notes
File operations	Allows attackers to manage files on the infected system
Mouse and keyboard control	Lets attackers interact with the device remotely
Self-update and removal	Helps attackers maintain or clean up the infection

How ABCDoor hides on infected systems

ABCDoor installs itself using a bundled Python environment and ffmpeg.exe. The legitimate ffmpeg tool helps the malware handle screen capture and broadcasting.

The malware copies its files into C:\ProgramData\Tailscale. That path appears designed to imitate the legitimate Tailscale VPN tool and make the folder look less suspicious during a quick review.

ABCDoor also creates a Run key in the Windows registry and a scheduled task named AppClient that runs every minute. These persistence methods help it return after a reboot or user logon.

Silver Fox also used Phantom Persistence

Kaspersky also found a Silver Fox RustSL sample using a technique called Phantom Persistence. The method abuses restart behavior designed for legitimate applications that need to continue after a reboot.

In this campaign, the loader could intercept shutdown signals, stop the normal shutdown process, and trigger a reboot that executes the malware again.

This matters for defenders because the infection may survive actions that users expect to interrupt malware activity. A simple restart does not guarantee that the threat has been removed.

What security teams should monitor

Organizations should treat fake tax notices as a serious phishing risk, especially during filing or audit-related periods. Attackers know that government-themed messages can make employees act quickly.

Email security tools should inspect PDFs that contain external links, not just files with direct malware attachments. Teams should also block or sandbox suspicious archives downloaded from tax-themed messages.

Endpoint monitoring should focus on abnormal pythonw.exe activity, ffmpeg.exe running from unusual directories, registry persistence, and scheduled tasks named AppClient.

• Flag PDFs that contain suspicious external download links.
• Block archives downloaded from untrusted tax-related messages.
• Monitor C:\ProgramData\Tailscale when Tailscale is not approved in the environment.
• Alert on scheduled tasks named AppClient.
• Investigate pythonw.exe running from user or ProgramData paths.
• Watch for unexpected ffmpeg.exe use on business endpoints.
• Review outbound traffic to suspicious third-level abc subdomains.

How employees can avoid the lure

Employees should never open a tax notice from email alone without checking it through an official tax portal or internal finance team.

Any message that claims an urgent audit, tax violation, penalty, or compliance issue should get extra review. Attackers often rely on urgency to make users skip normal checks.

Companies should also tell employees where real tax notices appear, which teams handle them, and what official portals should be used for verification.

Red flag	Safer response
Unexpected tax audit email	Verify through the official tax portal or finance department
PDF with external download links	Do not click until the sender and URL are confirmed
Archive claiming to contain tax violations	Forward it to security for analysis
File disguised as a PDF or spreadsheet	Check the real file extension before opening
Urgent language about penalties	Pause and verify through a trusted channel

FAQ