Kaspersky researchers detail a tax-themed spear-phishing campaign by the Silver Fox APT group targeting organizations in Russia and India. The attackers impersonated tax authorities to deliver malicious archives containing a modified Rust-based loader (RustSL) that ultimately deploys the ValleyRAT backdoor. During the investigation, a previously undocumented Python-based backdoor named ABCDoor was discovered — delivered as a ValleyRAT plugin. ABCDoor, compiled with Cython and active since late 2024, supports remote screen broadcasting (via ffmpeg), mouse/keyboard emulation, clipboard exfiltration, file management, and DPAPI-based encryption. The loader uses geofencing to restrict execution to targeted countries (Russia, India, Indonesia, South Africa, Cambodia, Japan) and employs the Phantom Persistence technique for startup execution. The post includes full technical analysis of the attack chain, ABCDoor version history, distribution method evolution, and comprehensive indicators of compromise.
Table of contents
Email campaignRustSL loaderSilver Fox RustSLAttack chain and payloadsABCDoor Python backdoorABCDoor versionsEvolution of ABCDoor distribution methodsVictimsConclusionIndicators of compromiseSort: