"Both waves followed a nearly identical structure: phishing emails were styled as official notices regarding tax audits or prompted users to download an archive containing a 'list of tax violations,'" Kaspersky said.
Phishing waves imitating the Income Tax Department and Russian notices
Security researchers attribute a coordinated campaign to the China-based cybercrime group Silver Fox that used tax-themed phishing lures to deliver a previously undocumented backdoor, codenamed ABCDoor. The first wave impersonated the Income Tax Department of India in December 2025; a later wave targeted Russian entities with a similar structure. In the campaigns monitored, a PDF attached to the email contained two links that led to ZIP or RAR archives hosted on "abc.haijing88[.]com," and in the December 2025 activity malicious code was embedded directly in attached files.
RustSL, ValleyRAT, and ABCDoor: the technical chain
Kaspersky reports the attack chain begins with a phishing email and a malicious archive whose contents include an executable masquerading as a PDF. That executable is a modified version of an open-source shellcode loader and AV-bypass framework known as RustSL. The Silver Fox variant unpacks an encrypted payload that downloads an encrypted copy of ValleyRAT (aka Winos 4.0). ValleyRAT's core component, identified as "login-module.dll_bin," handles command-and-control communications, command execution, and retrieval and execution of additional modules.
Crucially, researchers observed a ValleyRAT plugin functioning as a loader for ABCDoor. ABCDoor is a Python-based backdoor that, when deployed, communicates with an external server over HTTPS and processes messages to manage persistence, perform updates and removal, capture screenshots, enable remote mouse and keyboard control, manipulate the file system and system processes, and exfiltrate clipboard contents. Kaspersky says ABCDoor has been in Silver Fox's toolkit since at least December 19, 2024 and was used in attacks beginning in February or March 2025.
Phantom Persistence, geofencing, and loader evolution
The bespoke RustSL variant used by Silver Fox incorporates multiple evasive features. It implements country-based geofencing and environment checks to detect virtual machines and sandboxes. While the public GitHub variant of RustSL contains only China in its country list, Silver Fox's customized version expands allowed countries to include India, Indonesia, South Africa, Russia, and Cambodia. Newer RustSL updates have further expanded geographic focus to include Japan.
One loader variant employs a persistence technique Kaspersky refers to as "Phantom Persistence," first documented in June 2025. This method abuses functionality intended to let applications complete updates across a reboot: the attackers intercept the system shutdown signal, halt the normal shutdown, and trigger a reboot that appears to be an update, causing the loader to execute at OS startup. As recently as November 2025, Silver Fox was also using a JavaScript loader delivered inside self-extracting (SFX) archives packaged in ZIP files—another delivery option alongside RustSL.
Impacted sectors, countries, and scale
Kaspersky and monitoring data show the highest numbers of detections in India, Russia, and Indonesia, followed by South Africa and Japan. The attacks affected organizations across industrial, consulting, retail, and transportation sectors. Between early January and early February, security systems flagged more than 1,600 phishing emails linked to these waves. The campaign's modular approach—RustSL → ValleyRAT → ABCDoor—permits flexible targeting and staged deployment of capabilities once a foothold is obtained.
What this means for technologists, enterprises, and open-source maintainers
- Technologists and security teams: watch for tax-themed lures and archives downloaded from domains such as "abc.haijing88[.]com," as well as artifacts of RustSL and ValleyRAT (including "login-module.dll_bin"). Expect loaders to perform geofencing and sandbox-detection and to employ persistence techniques like Phantom Persistence.
- Affected enterprises and procurement leaders (industrial, consulting, retail, transportation): these sectors were explicitly impacted in the observed waves. The use of familiar administrative lures—tax notices and purported violation lists—highlights the need to validate unexpected tax- or compliance-related messages and to reinforce controls around archive extraction and execution.
- Open-source maintainers and repository custodians: public loader code (the RustSL project) has been modified and weaponized. The GitHub variant's country list differs from the bespoke variant used in attacks, underscoring how public projects can be forked and extended for malicious purposes.
Silver Fox's campaign stitches together open-source code, a long-standing RAT, and a new Python backdoor into a modular, regionally tailored operation. Kaspersky's timeline places ABCDoor in the group's toolkit since December 19, 2024, with active use from February or March 2025 and continued evolution through at least December 2025. The observable pattern—tax-themed lures, multi-stage loaders, geofencing, and Phantom Persistence—offers concrete indicators defenders can hunt for, but also illustrates how quickly publicly available components can be recombined into new threats.
