Pulse Detail — Threat Intelligence

PULSE NAME

Silver Fox uses the new ABCDoor backdoor to target organizations in Russia and India

WHITE Silver Fox AlienVault 2026-04-30 Modified: 2026-05-30

144

IOCs

HIGH VOLUME

The Silver Fox threat group conducted phishing campaigns in December 2025 and January 2026, impersonating tax authorities in India and Russia. Malicious emails contained archives with a modified Rust-based RustSL loader that deployed ValleyRAT backdoor. Over 1600 malicious emails targeted organizations across industrial, consulting, retail, and transportation sectors. During investigation, a previously undocumented Python-based backdoor named ABCDoor was discovered, active since late 2024. The attacks utilized multi-stage infection chains involving encrypted payloads, custom ValleyRAT modules, and various persistence mechanisms including Phantom Persistence technique. ABCDoor features remote control capabilities, screen broadcasting using ffmpeg, and file manipulation functions. The group employed sophisticated evasion techniques including geofencing, string encryption, and mimicking legitimate VPN services.

MITRE ATT&CK & Malware Families

ATT&CK TECHNIQUES

T1053.005 T1113 T1056.001 T1204.002 T1566.001 T1115 T1106 T1140 T1219 T1055 T1083 T1497 T1102 T1547.001 T1027 T1573 T1132 T1070.004 T1071.001

MALWARE FAMILIES

ABCDoor ValleyRAT RustSL Winos 4.0

Indicators of Compromise (13 / 144 total)

All URL FileHash-MD5 FileHash-SHA1 FileHash-SHA256 domain hostname

TYPE	INDICATOR	DESCRIPTION	CREATED
URL	http://154.82.81.205/YD20251001143052.zip	—	2026-04-30
URL	http://154.82.81.205/YD20251001143052.zip'	—	2026-04-30
URL	http://154.82.81.205/YN20250923193706.zip.	—	2026-04-30
URL	https://abc.fetish-friends.com/setup/install	—	2026-04-30
URL	https://abc.fetish-friends.com/setup/install?channel=dianhua-0903	—	2026-04-30
URL	https://abc.fetish-friends.com/setup/install?channel=whatsapp_0826	—	2026-04-30
URL	https://abc.fetish-friends.com/setup?channel=jiqi_0819	—	2026-04-30
URL	https://abc.fetish-friends.com/uploads/appclient.zip	—	2026-04-30
URL	https://mcagov.cc/download.php?type=exe.	—	2026-04-30
URL	https://roldco.com/api/download/c51bbd17-ef08-4d6c-ab4c-d7bf49483dd6	—	2026-04-30
URL	https://sudsmama.com/api/download/50e24b3a-8662-4d2f-9837-8cc62aa8f697	—	2026-04-30
URL	https://sudsmama.com/api/download/c8ea0a2c-42c2-4159-9337-ee774ed5e7cb	—	2026-04-30
URL	https://vnc.kcii2.com	—	2026-04-30

References (1)

↗ https://securelist.com/silver-fox-tax-notification-campaign/119575/