Silver Fox Deploys ABCDoor Malware via Tax-Themed Phishing

Executive Summary

The China-linked cybercrime group Silver Fox has been observed deploying a new backdoor malware, dubbed ABCDoor, through tax-themed phishing campaigns targeting organizations in India and Russia. According to a report from The Hacker News, the group sent emails mimicking correspondence from the Income Tax Department of India in December 2025, followed by a similar wave aimed at Russian entities. The malware provides persistent remote access to compromised systems, enabling data exfiltration and further payload delivery.

Technical Analysis

The ABCDoor malware, named for its use of the Advanced Encryption Standard (AES) for command-and-control (C2) communication and a custom binary protocol, functions as a full-featured backdoor. The phishing emails carried malicious attachments or links that, when opened, executed a loader that retrieved the main ABCDoor payload from a remote server. The malware establishes persistence via registry run keys or scheduled tasks, then communicates with its C2 infrastructure over HTTP or HTTPS using encrypted channels. The Hacker News report indicates the campaign employed social engineering tailored to each target region: Indian victims received emails referencing tax filings, while Russian targets received correspondence styled as official government notices. The technical specifics of the loader and C2 protocol were not fully detailed in the source material, but the malware is described as capable of file upload/download, command execution, and keylogging.

Mitigations & Recommendations

Organizations in India and Russia, particularly those in government and financial sectors, should review email security controls to block tax-themed phishing lures. Defenders should monitor for suspicious outbound connections to unknown IP addresses, especially those using encrypted HTTP traffic to domains mimicking government entities. Implementing endpoint detection and response (EDR) solutions that can flag registry persistence changes and scheduled task creation may help detect ABCDoor deployment. User awareness training focused on tax-related phishing is advised given the tailored social engineering.