Silver Fox uses the new ABCDoor backdoor to target organizations in Russia and India

In late 2025–early 2026 the Silver Fox group conducted tax-themed phishing campaigns against organizations across multiple countries and sectors, using a customized RustSL loader to deploy ValleyRAT and a newly documented Python backdoor called ABCDoor; the report details the multi-stage attack chain, payload formats and decryption, persistence methods (including Phantom Persistence and scheduled tasks/registry autoruns), distribution changes over time, victims by country, and provides comprehensive network and file IOCs.