More than 1,600 malicious emails were recorded between early January and early February 2026, according to the forensic timeline in the report — and they all began with the same ruse: tax-audit notices engineered to get recipients to download an archive or follow a link in a PDF.
Attack vector: tax-themed phishing targeting India and Russia
The campaign unfolded in two waves. In December 2025 attackers sent emails to Indian recipients with malicious attachments (examples include an archive named ITD.-.rar and a GST.pdf that pointed to hxxps://abc.haijing88[.]com/uploads/印度邮箱/CBDT.rar), some messages delivered via the SendGrid cloud platform. In January 2026 a nearly identical campaign targeted Russian organizations; PDFs delivered two links pointing to abc.haijing88[.]com/uploads/фнс/фнс.zip. Both variants used tax-authority language — “tax audits” or “list of tax violations” — to induce downloads and bypass email gateways by embedding download links inside otherwise innocuous PDFs.
Silver Fox RustSL: public loader, private changes
The loaders used in these attacks derive from a public Rust-based project called RustSL. Silver Fox introduced custom modules — notably steganography.rs and guard.rs — and built a bespoke variant referred to in the report as Silver Fox RustSL. The steganography.rs module does not implement typical image steganography; instead it implements an unpacking and multi-stage XOR decryption flow for an encrypted payload wrapped between <RSL_START> and <RSL_END> markers. The loader accepts multiple payload encodings (Base64, Base32, Hex, urlsafe_base64), employs a hardcoded key (RSL_STEG_2025_KEY), and runs a multi-pass XOR decryption routine described in the report.
Guard.rs implements environment checks and geofencing. Early samples ran extensive VM and sandbox detection; later versions retained country checks and expanded the allowed-country list from the GitHub default (China) to include India, Indonesia, South Africa, Russia, Cambodia — and, from a sample dated 2026-01-19, Japan. The loader queries five public geolocation services: ip-api.com, ipwho.is, ipinfo.io, ipapi.co, and www.geoplugin.net.
Payload chain: ValleyRAT (Winos 4.0) and the novel ABCDoor Python backdoor
Execution of the RustSL loader delivers an encrypted shellcode payload that downloads and executes ValleyRAT (also called Winos 4.0). The initial shellcode downloads an “Online module” (上线模块.dll) which in turn loads the core Login module (登录模块.dll_bin) responsible for C2 communication and module management. The embedded configuration in the shellcode reveals C2 priorities, including an IP and port entry p1:207.56.138[.]28:o1:6666 and others documented in the report.
During the campaign the ValleyRAT installation fetched and ran two previously unseen plugins (保86.dll and 保86.dll_bin). Those plugins performed geolocation checks and, when allowed, downloaded a 52.5 MB archive from hxxp://154.82.81[.]205 (files named YD20251001143052.zip and YN20250923193706.zip). The archive installs a Python environment, ffmpeg.exe, and an appclient Python module whose core is a Cython-compiled PYD DLL the report names ABCDoor.
ABCDoor is a Python-based backdoor that communicates over HTTPS using Socket.IO, establishes persistence via HKCU Run and a scheduled task named “AppClient”, and exposes functionality focused on file operations, clipboard exfiltration, process and window control, and screen broadcasting. Screen capture uses ffmpeg and, in later versions, the Desktop Duplication API to support up to four monitors. ABCDoor’s C2 pattern commonly uses third-level domains beginning with “abc”; one listed C2 is 45.118.133[.]203:5000 and multiple abc.* domains appear in the IoC list.
Persistence and operational tradecraft: Phantom Persistence and legitimate-path mimicry
Silver Fox RustSL samples also incorporated a persistence technique the report calls Phantom Persistence. A loader compiled on 2026-01-07 logs a sequence that registers application restart, monitors shutdown events, aborts a shutdown, and triggers a reboot with EWX_RESTARTAPPS to force execution at startup. The ABCDoor deployment further disguises itself by copying files to C:\ProgramData\Tailscale and launching pythonw.exe -m appclient, intentionally mimicking the path of the legitimate Tailscale utility.
Distribution techniques diversified across 2025: C++ and Go stagers, TinyURL redirects, self-extracting archives with JavaScript loaders, and Node.js-based installers. The report documents specific artifacts — sample names, TinyURL redirects, and numerous hashes — showing a multi-stage, segmented infrastructure designed to limit single-point takedowns.
What this means for technologists, affected enterprises, and end users
- Technologists and security teams: Hunt for the specific artifacts listed in the report — abc.* domains, C2 IPs (for example 207.56.138[.]28 and 154.82.81[.]205), and persistence traces (HKCU Run AppClient, scheduled task “AppClient”, and the registry key HKCU:\Software\CarEmu:FirstInstallTime). Monitor for unusual pythonw.exe -m appclient processes and the creation of %LOCALAPPDATA%\applogs\device.log and exception_logs.zip.
- Affected enterprises and procurement leaders: Note the attack vector — tax-authority themed PDFs and archives — and the tactic of embedding download links to bypass gateways. Review mail-gateway handling of PDFs with embedded links and reinforce verification procedures for tax notices.
- End users and administrators: Be alert to messages purporting to come from tax services, avoid following download links in unsolicited PDFs, and report suspicious attachments to security teams for analysis.
The report documents an operator that combined public offensive tooling with bespoke modules and a new Python backdoor in a campaign that scaled into early 2026 and broadened its geographic focus. With over 1,600 emails recorded in a short window and evidence of iterative development stretching back to late 2024, the intrusion set demonstrated both operational range and rapid technical evolution — and the artifacts and domains listed in the report provide concrete starting points for detection and response.




