Silver Fox Deploys ABCDoor Malware via Tax-Themed Phishing in India and Russia

Silver Fox, a China-based cybercrime group, deployed a new malware strain called ABCDoor through targeted phishing campaigns against organizations in Russia and India during December 2025. The initial wave exploited tax-themed social engineering, with emails spoofing the Indian Income Tax Department to trick recipients into executing malicious payloads. A follow-up campaign targeting Russian entities used comparable tactics and infrastructure.

ABCDoor represents a capability expansion for Silver Fox, which historically focused on financial fraud and data theft operations. The malware establishes persistence on infected systems and enables remote code execution, allowing attackers to deploy secondary payloads and move laterally within networks. Analysis suggests ABCDoor shares code patterns with previously attributed Silver Fox tools, confirming operational continuity.

The phishing emails carried authentic-looking branding and urgent language typical of tax compliance notices, leveraging organizational compliance obligations to bypass user skepticism. Recipients who opened attachments or clicked embedded links unknowingly executed the malware dropper. Security researchers identified shared command and control infrastructure across both campaigns, indicating centralized operational planning.

Organizations in both regions face elevated risk. Russian entities experienced heightened targeting, possibly reflecting geopolitical factors. Indian businesses remain exposed given the widespread familiarity with tax department communications, making social engineering particularly effective. The dual-geography approach suggests Silver Fox is testing payload distribution methods and expanding its operational footprint beyond traditional targets.

Defenders should implement email authentication controls, DKIM/SPF verification, and security awareness training emphasizing tax-themed phishing. Organizations should monitor for ABCDoor indicators of compromise including specific command and control domains and process injection patterns. Network segmentation limits lateral movement if infection occurs. Patching systems reduces secondary payload exploitation vectors.

The campaign reflects broader trends in Chinese cybercriminal operations targeting APAC and Eastern European markets. Silver Fox's investment in new malware tools