A new cyberattack campaign has recently come into focus where a China-linked threat group called Silver Fox is targeting users in India and Russia. The attackers are spreading a new type of malware known as ABCDoor through phishing emails. These emails are designed to look like official tax-related messages. Because of their realistic appearance, many users may trust them without questioning. This makes the attack highly effective and dangerous.

The attack mainly starts with emails that pretend to come from government tax authorities, especially the Income Tax Department of India. These emails usually mention tax audits, penalties, or urgent compliance issues. The goal is to create a sense of fear or urgency in the user. As a result, the victim is more likely to open the attachment or click the link. The files are often disguised as PDFs or compressed files like ZIP or RAR.

Once the victim interacts with the file, the infection process begins in multiple stages. First, a malicious file runs a modified loader developed using the Rust programming language. This loader is commonly referred to as RustSL. After execution, it installs a known backdoor malware called ValleyRAT. Finally, a new malware component named ABCDoor is deployed on the system.

ABCDoor is a powerful Python-based backdoor that gives attackers deep access to the infected device. It allows them to take screenshots and monitor user activity in real time. The malware can also control the keyboard and mouse remotely. In addition to that, it can access files and steal clipboard data. It stays connected with remote servers controlled by the attackers.

This campaign has targeted a wide range of industries and is not limited to individual users. Sectors such as industrial companies, consulting firms, retail businesses, and transportation organizations have been affected. Reports indicate that more than 1,600 phishing emails were sent during January and February 2026. This shows how large and organized the operation is. It also highlights the serious scale of the threat.

Although India and Russia are the main targets, the attack has also been seen in other countries. Regions like Indonesia, South Africa, and Japan have reported similar phishing activity. This suggests that the attackers are running a broader international campaign. However, their main focus still remains on selected regions. This is likely part of a targeted attack strategy.

The attackers are using several advanced techniques to avoid detection by security systems. One such method is geofencing, which ensures the malware only activates in specific regions. They also use sandbox detection to avoid running inside testing environments. Another technique called phantom persistence allows the malware to restart after a system reboot. In some cases, malicious files are cleverly disguised as normal PDF documents.

Overall, this attack highlights how cybercriminals are becoming more advanced and strategic. By using real-world themes like tax notices, they increase the chances of success. The use of multiple malware stages makes detection and removal more difficult. This campaign shows that both individuals and organizations need to stay alert. Verifying emails and avoiding suspicious attachments is now more important than ever.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news