{ "type": "SHA256", "indicator": "285c764e84ca830d90e75df06ee5445693f79058142b85b5e054c5c78c0421aa", "general": { "sections": [ "general", "analysis" ], "type": "sha256", "type_title": "FileHash-SHA256", "indicator": "285c764e84ca830d90e75df06ee5445693f79058142b85b5e054c5c78c0421aa", "validation": [], "base_indicator": { "id": 4335639217, "indicator": "ca5c6fc9d9adc8e8edd474f601429764cc52d4b0", "type": "FileHash-SHA1", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "69f3241b2759ee934874df9f", "name": "Silver Fox uses the new ABCDoor backdoor to target organizations in Russia and India", "description": "The Silver Fox threat group conducted phishing campaigns in December 2025 and January 2026, impersonating tax authorities in India and Russia. Malicious emails contained archives with a modified Rust-based RustSL loader that deployed ValleyRAT backdoor. Over 1600 malicious emails targeted organizations across industrial, consulting, retail, and transportation sectors. During investigation, a previously undocumented Python-based backdoor named ABCDoor was discovered, active since late 2024. The attacks utilized multi-stage infection chains involving encrypted payloads, custom ValleyRAT modules, and various persistence mechanisms including Phantom Persistence technique. ABCDoor features remote control capabilities, screen broadcasting using ffmpeg, and file manipulation functions. The group employed sophisticated evasion techniques including geofencing, string encryption, and mimicking legitimate VPN services.", "modified": "2026-05-30T09:04:01.553000", "created": "2026-04-30T09:42:51.123000", "tags": [ "python backdoor", "silver fox", "winos 4.0", "valleyrat", "ABCDoor" ], "references": [ "https://securelist.com/silver-fox-tax-notification-campaign/119575/" ], "public": 1, "adversary": "Silver Fox", "targeted_countries": [ "British Indian Ocean Territory", "India", "Indonesia", "Japan", "Russian Federation", "South Africa" ], "malware_families": [ { "id": "ABCDoor", "display_name": "ABCDoor", "target": null }, { "id": "ValleyRAT", "display_name": "ValleyRAT", "target": null }, { "id": "RustSL", "display_name": "RustSL", "target": null }, { "id": "Winos 4.0", "display_name": "Winos 4.0", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [ "Manufacturing", "Retail", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 13, "FileHash-MD5": 72, "FileHash-SHA1": 21, "FileHash-SHA256": 21, "domain": 8, "hostname": 9 }, "indicator_count": 144, "is_author": false, "is_subscribing": null, "subscriber_count": 386442, "modified_text": "9 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69faa5ac2f35f2ba145bf544", "name": "IOC - Silver Fox uses the new ABCDoor backdoor to target organizations in Russia and India", "description": "", "modified": "2026-05-30T09:04:01.553000", "created": "2026-05-06T02:21:32.241000", "tags": [ "python backdoor", "silver fox", "winos 4.0", "valleyrat", "ABCDoor" ], "references": [ "https://securelist.com/silver-fox-tax-notification-campaign/119575/" ], "public": 1, "adversary": "Silver Fox", "targeted_countries": [ "British Indian Ocean Territory", "India", "Indonesia", "Japan", "Russian Federation", "South Africa" ], "malware_families": [ { "id": "ABCDoor", "display_name": "ABCDoor", "target": null }, { "id": "ValleyRAT", "display_name": "ValleyRAT", "target": null }, { "id": "RustSL", "display_name": "RustSL", "target": null }, { "id": "Winos 4.0", "display_name": "Winos 4.0", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [ "Manufacturing", "Retail", "Transportation" ], "TLP": "white", "cloned_from": "69f3241b2759ee934874df9f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 13, "FileHash-MD5": 72, "FileHash-SHA1": 21, "FileHash-SHA256": 21, "domain": 8, "hostname": 9 }, "indicator_count": 144, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "9 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69f91415461df47226894741", "name": "ugugyguguguyguyguyguyguyguyguyg", "description": "The full text of this article, published on Wednesday, is subject to copyright. and will not be published again until after the end of the year, but it is possible to find a link.", "modified": "2026-05-04T21:48:05.343000", "created": "2026-05-04T21:48:05.343000", "tags": [ "indicator name" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MohammedRizwan2001", "id": "361933", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 49, "FileHash-MD5": 32, "FileHash-SHA1": 31, "FileHash-SHA256": 75, "URL": 38, "domain": 38, "hostname": 286 }, "indicator_count": 549, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "25 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 } ], "references": [ "https://securelist.com/silver-fox-tax-notification-campaign/119575/" ], "related": { "alienvault": { "adversary": [ "Silver Fox" ], "malware_families": [ "Rustsl", "Winos 4.0", "Valleyrat", "Abcdoor" ], "industries": [ "Retail", "Manufacturing", "Transportation" ] }, "other": { "adversary": [ "Silver Fox" ], "malware_families": [ "Rustsl", "Winos 4.0", "Valleyrat", "Abcdoor" ], "industries": [ "Retail", "Manufacturing", "Transportation" ] } } }, "false_positive": [] }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "69f3241b2759ee934874df9f", "name": "Silver Fox uses the new ABCDoor backdoor to target organizations in Russia and India", "description": "The Silver Fox threat group conducted phishing campaigns in December 2025 and January 2026, impersonating tax authorities in India and Russia. Malicious emails contained archives with a modified Rust-based RustSL loader that deployed ValleyRAT backdoor. Over 1600 malicious emails targeted organizations across industrial, consulting, retail, and transportation sectors. During investigation, a previously undocumented Python-based backdoor named ABCDoor was discovered, active since late 2024. The attacks utilized multi-stage infection chains involving encrypted payloads, custom ValleyRAT modules, and various persistence mechanisms including Phantom Persistence technique. ABCDoor features remote control capabilities, screen broadcasting using ffmpeg, and file manipulation functions. The group employed sophisticated evasion techniques including geofencing, string encryption, and mimicking legitimate VPN services.", "modified": "2026-05-30T09:04:01.553000", "created": "2026-04-30T09:42:51.123000", "tags": [ "python backdoor", "silver fox", "winos 4.0", "valleyrat", "ABCDoor" ], "references": [ "https://securelist.com/silver-fox-tax-notification-campaign/119575/" ], "public": 1, "adversary": "Silver Fox", "targeted_countries": [ "British Indian Ocean Territory", "India", "Indonesia", "Japan", "Russian Federation", "South Africa" ], "malware_families": [ { "id": "ABCDoor", "display_name": "ABCDoor", "target": null }, { "id": "ValleyRAT", "display_name": "ValleyRAT", "target": null }, { "id": "RustSL", "display_name": "RustSL", "target": null }, { "id": "Winos 4.0", "display_name": "Winos 4.0", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [ "Manufacturing", "Retail", "Transportation" ], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "URL": 13, "FileHash-MD5": 72, "FileHash-SHA1": 21, "FileHash-SHA256": 21, "domain": 8, "hostname": 9 }, "indicator_count": 144, "is_author": false, "is_subscribing": null, "subscriber_count": 386442, "modified_text": "9 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69faa5ac2f35f2ba145bf544", "name": "IOC - Silver Fox uses the new ABCDoor backdoor to target organizations in Russia and India", "description": "", "modified": "2026-05-30T09:04:01.553000", "created": "2026-05-06T02:21:32.241000", "tags": [ "python backdoor", "silver fox", "winos 4.0", "valleyrat", "ABCDoor" ], "references": [ "https://securelist.com/silver-fox-tax-notification-campaign/119575/" ], "public": 1, "adversary": "Silver Fox", "targeted_countries": [ "British Indian Ocean Territory", "India", "Indonesia", "Japan", "Russian Federation", "South Africa" ], "malware_families": [ { "id": "ABCDoor", "display_name": "ABCDoor", "target": null }, { "id": "ValleyRAT", "display_name": "ValleyRAT", "target": null }, { "id": "RustSL", "display_name": "RustSL", "target": null }, { "id": "Winos 4.0", "display_name": "Winos 4.0", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1113", "name": "Screen Capture", "display_name": "T1113 - Screen Capture" }, { "id": "T1056.001", "name": "Keylogging", "display_name": "T1056.001 - Keylogging" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1115", "name": "Clipboard Data", "display_name": "T1115 - Clipboard Data" }, { "id": "T1106", "name": "Native API", "display_name": "T1106 - Native API" }, { "id": "T1140", "name": "Deobfuscate/Decode Files or Information", "display_name": "T1140 - Deobfuscate/Decode Files or Information" }, { "id": "T1219", "name": "Remote Access Software", "display_name": "T1219 - Remote Access Software" }, { "id": "T1055", "name": "Process Injection", "display_name": "T1055 - Process Injection" }, { "id": "T1083", "name": "File and Directory Discovery", "display_name": "T1083 - File and Directory Discovery" }, { "id": "T1497", "name": "Virtualization/Sandbox Evasion", "display_name": "T1497 - Virtualization/Sandbox Evasion" }, { "id": "T1102", "name": "Web Service", "display_name": "T1102 - Web Service" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1132", "name": "Data Encoding", "display_name": "T1132 - Data Encoding" }, { "id": "T1070.004", "name": "File Deletion", "display_name": "T1070.004 - File Deletion" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" } ], "industries": [ "Manufacturing", "Retail", "Transportation" ], "TLP": "white", "cloned_from": "69f3241b2759ee934874df9f", "export_count": 0, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "URL": 13, "FileHash-MD5": 72, "FileHash-SHA1": 21, "FileHash-SHA256": 21, "domain": 8, "hostname": 9 }, "indicator_count": 144, "is_author": false, "is_subscribing": null, "subscriber_count": 139, "modified_text": "9 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 }, { "id": "69f91415461df47226894741", "name": "ugugyguguguyguyguyguyguyguyguyg", "description": "The full text of this article, published on Wednesday, is subject to copyright. and will not be published again until after the end of the year, but it is possible to find a link.", "modified": "2026-05-04T21:48:05.343000", "created": "2026-05-04T21:48:05.343000", "tags": [ "indicator name" ], "references": [], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "MohammedRizwan2001", "id": "361933", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "IPv4": 49, "FileHash-MD5": 32, "FileHash-SHA1": 31, "FileHash-SHA256": 75, "URL": 38, "domain": 38, "hostname": 286 }, "indicator_count": 549, "is_author": false, "is_subscribing": null, "subscriber_count": 20, "modified_text": "25 days ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "FileHash-SHA256", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "285c764e84ca830d90e75df06ee5445693f79058142b85b5e054c5c78c0421aa", "type": "Hash" }, "abuseipdb": null, "urlhaus": { "indicator": "285c764e84ca830d90e75df06ee5445693f79058142b85b5e054c5c78c0421aa", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780165596.3383226 }