The China-based cybercrime group known as Silver Fox (aka Monarch, SwimSnake, The Great Thief of Valley, UTG-Q-1000, and Void Arachne) has been linked to a new campaign targeting organizations in Russia and India with a new malware called ABCDoor.
The activity involved using phishing emails that mimic correspondence from the Income Tax Department of India in December 2025, followed by a similar campaign aimed at Russian entities in January 2026.
“Both waves followed a nearly identical structure: phishing emails were styled as official notices regarding tax audits or prompted users to download an archive containing a ‘list of tax violations,'” Kaspersky said. “Inside the archive was a modified Rust-based loader pulled from a public repository. This loader would download and execute the well-known ValleyRAT backdoor.”
The campaign is estimated to have impacted organizations across the industrial, consulting, retail, and transportation sectors. More than 1,600 phishing emails were flagged between early January and early February.
What’s notable about these phishing waves is the delivery of a new ValleyRAT plugin that functions as a loader for a previously undocumented Python-based backdoor codenamed ABCDoor. The backdoor, per the Russian cybersecurity company, has been part of the threat actor’s arsenal since at least December 19, 2024, and was put to use in cyber attacks beginning February or March 2025.
The starting point of the attack chain is a phishing email containing a PDF file, which features two clickable links that lead to the download of a ZIP or RAR archive hosted on “abc.haijing88[.]com.” In the campaign detected in December 2025, the malicious code is said to have been embedded directly within the files attached to the email.
Present within the archive is an executable that mimics a PDF file. The binary is a modified version of an open-source shellcode loader and antivirus bypass framework called RustSL. Silver Fox’s first recorded use of RustSL dates back to late December 2025.
The end goal of the Silver Fox RustSL variant is to unpack the encrypted malicious payload, while implementing country-based geofencing and environment checks to detect virtual machines and sandboxes. While the GitHub variant only includes China in its country list, the bespoke version features India, Indonesia, South Africa, Russia, and Cambodia.
One variant of the loader has been found to employ a novel method called Phantom Persistence to establish persistence on the compromised host. It was first documented in June 2025.
“This method abuses functionality designed to allow applications requiring a reboot for updates to complete the installation process properly,” Kaspersky explained. “The attackers intercept the system shutdown signal, halt the normal shutdown sequence, and trigger a reboot under the guise of an update for the malware. Consequently, the loader forces the system to execute it upon OS startup.”
The encrypted payload loaded by RustSL results in the download of the encrypted ValleyRAT (aka Winos 4.0) malware, with the core component (“login-module.dll_bin”) responsible for command-and-control (C2) communications, command execution, and retrieval and execution of additional modules.
One of the custom modules deployed as part of the attack following a second geofencing check is ABCDoor, which contacts an external server via HTTPS and processes incoming messages to facilitate persistence, handle backdoor updates and removal, collect data such as screenshots, enable remote mouse and keyboard control, perform file system operations, manage system processes, and exfiltrate clipboard contents.
As recently as November 2025, Silver Fox has been observed using a JavaScript loader to deliver ABCDoor, with the loader distributed via self-extracting (SFX) archives that were packaged inside ZIP archives likely sent via phishing emails. Newer versions of RustSL have since expanded the geographic focus to include Japan.
The highest number of attacks has been detected in India, Russia, and Indonesia, followed by South Africa and Japan. The majority of loader samples discovered have employed tax-themed lures to imitate the infection sequence.
“Since 2024, [Silver Fox] has evolved into a dual-track operational model that simultaneously conducts profitable extensive opportunistic activities and espionage activities,” S2W said. “In the early stages, the group targeted China for attacks, but later expanded its operational scope to Taiwan and Japan.”
“The Silver Fox group primarily utilizes highly customized spear phishing techniques for initial infiltration, deploying sophisticated and diversified attack scenarios tailored to the seasonal issues of the target country and the target’s work characteristics.”
