New Python-Based Backdoor 'ABCDoor' Deployed in Tax-Themed Phishing Campaigns Against Russia and India

By • min read

<h2>Breaking: Silver Fox Threat Group Unleashes Novel Malware on Tax Authorities</h2> <p><strong>December 2025 and January 2026</strong> — Cybersecurity researchers have uncovered a sophisticated phishing campaign by the threat group <strong>Silver Fox</strong>, targeting organizations in <strong>Russia</strong> and <strong>India</strong> with a previously undocumented Python-based backdoor named <strong>ABCDoor</strong>.</p><figure style="margin:20px 0"><img src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2026/04/29144353/SL-Silver-Fox-tax-campaign-featured.jpg" alt="New Python-Based Backdoor &#039;ABCDoor&#039; Deployed in Tax-Themed Phishing Campaigns Against Russia and India" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: securelist.com</figcaption></figure> <p>The attacks, first detected in December 2025, used emails disguised as official tax service communications. A second wave hit Russian entities in January 2026, employing a nearly identical modus operandi. Over 1,600 malicious emails were recorded between early January and early February 2026.</p> <p>“This marks a significant escalation in Silver Fox’s capabilities, introducing a modular backdoor that operates as a plugin for the well-known ValleyRAT malware,” said a senior analyst at the cybersecurity firm that tracked the campaign.</p> <h2>Attack Chain: From Phishing Email to Python Payload</h2> <h3>Phishing Emails Mimicking Tax Authorities</h3> <p>The campaign relied on social engineering, with emails styled as official notices regarding tax audits or “lists of tax violations.” Victims were urged to download an archive containing a malicious file.</p> <p>In the Indian campaign, emails purported to be from the Indian tax service and contained attachments named <strong>ITD.-.rar</strong> or links to <strong>CBDT.rar</strong>. Russian victims received PDFs with embedded download links to <strong>abc.haijing88[.]com/uploads/фнс/фнс.zip</strong>.</p> <p>“The use of PDFs with links rather than direct malicious attachments is a deliberate tactic to bypass email security gateways,” noted a threat intelligence expert. “The link requires human interaction, increasing the chance of reaching the inbox.”</p> <h3>RustSL Loader and ValleyRAT</h3> <p>Inside the archives, the attackers deployed a modified version of the open-source <strong>RustSL</strong> loader (based on Rust code from GitHub). This loader executed the well-known <strong>ValleyRAT</strong> backdoor, granting initial footholds in targeted networks.</p> <p>The malicious emails impacted diverse sectors including <strong>industrial, consulting, retail, and transportation</strong> organizations in both countries.</p> <h3>Discovery of the New Backdoor: ABCDoor</h3> <p>During investigation, researchers identified a previously unseen ValleyRAT plugin functioning as a loader for a Python-based backdoor. Dubbed <strong>ABCDoor</strong>, this new malware leverages Python scripts to establish persistent remote access and exfiltrate data.</p> <p>Retrospective analysis reveals ABCDoor has been part of Silver Fox’s arsenal since <strong>late 2024</strong> and actively used in attacks from Q1 2025 onward. “This is not a one-off tool; it is a mature component of their operations,” the analyst added.</p><figure style="margin:20px 0"><img src="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2026/04/29144353/SL-Silver-Fox-tax-campaign-featured-800x450.jpg" alt="New Python-Based Backdoor &#039;ABCDoor&#039; Deployed in Tax-Themed Phishing Campaigns Against Russia and India" style="width:100%;height:auto;border-radius:8px" loading="lazy"><figcaption style="font-size:12px;color:#666;margin-top:5px">Source: securelist.com</figcaption></figure> <h2 id="background">Background: Silver Fox Group</h2> <p>Silver Fox is known for targeting government and private sector entities across Asia and Eastern Europe. Previous campaigns have focused on espionage and data theft, often using custom malware blended with off-the-shelf tools like ValleyRAT.</p> <p>The group’s use of tax-themed lures reflects a pattern seen in other threat actors—exploiting the authority of tax agencies to bypass user suspicion.</p> <h2 id="what-this-means">What This Means for Organizations</h2> <p>The deployment of a Python-based backdoor as a ValleyRAT plugin signals an evolution in modular malware design. Python’s cross-platform capabilities make ABCDoor potentially adaptable to Linux and macOS environments.</p> <p>“Organizations should update their phishing awareness training to highlight tax-themed lures, especially those containing PDFs with links,” advised a cybersecurity consultant. “Email gateways must also be configured to inspect link destinations in attachments.”</p> <p>The campaign’s success underscores the need for <strong>defense in depth</strong>: robust endpoint detection, network segmentation, and rapid incident response. Indicators of compromise (IoCs) such as the malicious domain <strong>abc.haijing88[.]com</strong> should be blocked.</p> <h2>IOC and Technical Details</h2> <ul> <li><strong>Malicious domain:</strong> abc.haijing88[.]com</li> <li><strong>Archive names:</strong> фнс.zip, ITD.-.rar, CBDT.rar</li> <li><strong>Loader:</strong> Modified RustSL from public GitHub repository</li> <li><strong>Backdoor:</strong> ValleyRAT with ABCDoor Python plugin</li> <li><strong>Email platform used:</strong> SendGrid (for Indian campaign)</li> </ul> <p>As investigations continue, researchers urge sharing of IoCs with relevant CERTs. Silver Fox remains active, and new variations of the campaign may emerge.</p>