A recently uncovered campaign attributed to the China-based cybercrime group known as Silver Fox—also referred to as Monarch, SwimSnake, The Great Thief of Valley, UTG-Q-1000, and Void Arachne—has targeted organizations in Russia and India with new malware identified as ABCDoor.
The operation has prominently involved the use of phishing emails impersonating communications from the Income Tax Department of India in December 2025, followed by a parallel initiative directed at Russian entities in January 2026. The structure of both waves has been notably similar, with phishing emails crafted to resemble official notifications regarding tax audits, encouraging recipients to download archives claiming to contain a ‘list of tax violations.’
Kaspersky detailed that within these archives lay a modified Rust-based loader sourced from a public repository, designed to download and execute the ValleyRAT backdoor, a well-documented malicious tool.
The breadth of this campaign is significant, as it is believed to have affected industries including manufacturing, consulting, retail, and transportation, with over 1,600 phishing emails flagged between early January and early February.
Of particular note within these phishing campaigns is the deployment of a previously undocumented Python-based backdoor, ABCDoor, accompanied by a novel plugin for the ValleyRAT malware. This backdoor has reportedly been part of the attackers’ toolkit since at least December 19, 2024, and was actively utilized in cyber assaults from February or March 2025.
The attack’s entry point was a phishing email containing a PDF file with two clickable links leading to a ZIP or RAR archive hosted on “abc.haijing88[.]com.” In the incidents observed in December 2025, malicious code was integrated within the email attachments themselves.
Inside the archive, an executable file acting as a decoy PDF was discovered. This binary was deemed a modified variant of RustSL, a well-known open-source shellcode loader and antivirus evasion framework. Silver Fox’s usage of RustSL has been traced back to late December 2025.
The strategic aim of this modified RustSL variant is to decrypt and unpack hidden malicious payloads while incorporating geographic filtering and environmental checks to identify virtual machines and sandbox environments. Although the GitHub version primarily focuses on China, the customized variant broadens its targets to include India, Indonesia, South Africa, Russia, and Cambodia.
Additionally, one variant of the loader has been documented utilizing an innovative technique known as Phantom Persistence to maintain presence on compromised systems, a method first identified in June 2025.
Kaspersky explained that this persistence methodology exploits standard functions designed for applications that require a system reboot for updates, hijacking the shutdown process to trigger a malware update related reboot. Consequently, the loader ensures activation with each system start-up.
The RustSL-loaded payload subsequently retrieves the encrypted ValleyRAT (also known as Winos 4.0) malware, with its core component (“login-module.dll_bin”) handling command-and-control (C2) communications, command execution, and additional module retrieval and execution.
Crucial to the attack’s infrastructure, one of the custom modules, ABCDoor, initiates connections to an external server via HTTPS, allowing it to receive commands for persistence management, backdoor updates, data collection (such as screenshots), remote mouse and keyboard control, file system operations, process management, and clipboard exfiltration.
As recently as November 2025, Silver Fox has been observed leveraging a JavaScript loader for delivering ABCDoor, disseminated through self-extracting archives likely dispatched via phishing campaigns. Notably, more recent variants of RustSL now include Japan within their target regions.
Current analyses indicate that the most affected countries are India, Russia, and Indonesia, followed by South Africa and Japan. Many of the loader samples observed have employed tax-themed lures to navigate the infection process, effectively exploiting seasonal fiscal concerns to enhance their effectiveness.
Since 2024, Silver Fox has developed a dual-track operational model that executes both extensive opportunistic attacks and tailored espionage missions. Initially, the group focused on China but has since broadened its operational scope to include Taiwan and Japan.
The group’s tactics evident in these recent campaigns highlight their reliance on highly customized spear phishing techniques for initial infiltration. Their attack strategies appear designed to align with ongoing seasonal challenges in the target regions and the specific work characteristics of their intended victims.