How the Silver Fox Group Deploys the ABCDoor Backdoor: A Step-by-Step Breakdown of the Attack Chain

Overview

In late 2025 and early 2026, the Silver Fox threat group launched a sophisticated phishing campaign targeting organizations in India and Russia. By impersonating tax authorities, they tricked victims into downloading a malicious archive that initiated a multi-stage attack chain. The final payload was a previously undocumented Python backdoor named ABCDoor. This guide dissects each step of the operation, providing security teams with a clear understanding of the adversary's tactics, techniques, and procedures (TTPs). By following these steps, analysts can better detect, respond to, and mitigate similar attacks.

How the Silver Fox Group Deploys the ABCDoor Backdoor: A Step-by-Step Breakdown of the Attack Chain — Source: securelist.com

What You Need

Access to email security logs (e.g., SendGrid, Microsoft 365) to trace phishing messages
A sandbox environment (e.g., Cuckoo, Joe Sandbox) to safely execute suspicious files
Network traffic analysis tools (e.g., Wireshark, Zeek) to monitor outbound connections
Reverse engineering tools (e.g., IDA Pro, Ghidra) or a Python debugger to analyze payloads
Threat intelligence feeds or a TI platform to check indicators of compromise (IoCs)
Basic familiarity with Rust, Python, and Windows executable analysis

Step 1: Recognize the Phishing Email Template

The attack begins with a spear-phishing email crafted to appear as official correspondence from a tax authority. For the Indian campaign (December 2025), the sender spoofed the Income Tax Department and used subjects like "Tax Audit Notice" or "List of Tax Violations." In the Russian campaign (January 2026), the emails mimicked the Federal Tax Service (ФНС). Both variants leveraged the urgency of tax compliance to pressure recipients into opening attachments or links.

Indian variant: Email contained an attached archive (ITD.-.rar) with a single executable disguised as a PDF.
Russian variant: Email attached a PDF file with two clickable links pointing to a malicious URL (abc.haijing88[.]com/uploads/фнс/фнс.zip).

The use of PDF links instead of direct executables helps bypass email security gateways, as the malicious content requires user interaction to fetch.

Step 2: Extract the Initial Payload from the Phishing Artifact

Once the victim opens the attachment or clicks the link, they download a ZIP or RAR archive. Inside this archive is the first-stage payload: a modified version of the open-source Rust-based loader called RustSL (publicly available on GitHub). The loader file may be named Click File.exe (India) or фнс.exe (Russia) and often bears a fake PDF icon to deceive users.

Extract the archive in an isolated sandbox environment.
Examine the executable's metadata: it is a compiled Rust binary, typically small (under 500 KB).
Note that the RustSL loader has been modified by Silver Fox to communicate with their command-and-control (C2) infrastructure.

Step 3: Analyze the RustSL Loader's Behavior

When executed, the RustSL loader performs the following actions:

Establishes an HTTP connection to the C2 server (e.g., abc.haijing88[.]com).
Downloads the second-stage payload: the ValleyRAT backdoor (a well-known remote access trojan).
Injects or executes ValleyRAT in memory to avoid writing to disk.

To detect this step, monitor for outbound HTTP requests to suspicious domains and unexpected child processes spawned from the RustSL executable.

Step 4: Observe ValleyRAT's Installation and Plugin Delivery

ValleyRAT is a modular backdoor that can accept plugins. During the Silver Fox campaign, the attackers deployed a new plugin that acts as a loader for a custom Python-based backdoor. This plugin is retrieved from the same C2 infrastructure and loaded into the ValleyRAT process.

Check the ValleyRAT configuration files (often obfuscated) for plugin URLs.
Note that the plugin itself is a lightweight executable (or shellcode) that decrypts and runs the Python backdoor.

Step 5: Identify and Analyze the ABCDoor Backdoor

Once the ValleyRAT plugin executes, it drops and runs a Python script or compiled Python binary that we have named ABCDoor. This backdoor was first observed in late 2024 and has been used in real-world attacks from Q1 2025 onward. ABCDoor provides persistent remote access and can:

Execute arbitrary Python code received from the C2
Upload/download files
Capture screenshots and keystrokes
Pivot to other systems on the network

To analyze ABCDoor, locate the Python bytecode or script (often hidden in temp directories or embedded in the plugin). Decompile if necessary, and extract embedded C2 addresses and encryption keys.

Step 6: Trace the Full Attack Chain and Identify IoCs

Combine the evidence from the previous steps to reconstruct the complete infection chain:

Phishing email → PDF/archive → RustSL loader
RustSL → download ValleyRAT
ValleyRAT → plugin → ABCDoor Python backdoor

Collect all indicators of compromise (IoCs):

Email subjects, sender addresses, and attachment hashes
Domains/IPs: abc.haijing88[.]com and any related C2s
File hashes (SHA256) for the RustSL loader, ValleyRAT binaries, and ABCDoor scripts
Registry or file system persistence mechanisms used by ABCDoor

Tips for Detection and Mitigation

Educate users: Train staff to recognize tax-themed phishing, especially messages urging immediate download of documents.
Enforce email filtering: Use sandboxing to scan all attachments, even PDFs with links, and block executables inside archives.
Monitor network traffic: Look for unusual HTTP connections to domains not typical for your region (e.g., Chinese domains targeting Indian/Russian IPs).
Implement application whitelisting: Prevent execution of Rust binaries (unless necessary) and limit script engines like Python.
Hunt for ValleyRAT indicators: Use YARA rules or Sigma rules to detect ValleyRAT and ABCDoor in memory or on disk.
Share intelligence: Report IoCs to relevant CERTs (e.g., CERT-In, CERT-RF) and threat intelligence platforms.