216.73.217.22

Silver Fox uses the new ABCDoor backdoor to target organizations in Russia and India

· Published 30/04/2026 09:42 · Modified 04/05/2026 11:00

Export JSON

Essential information

Published
30/04/2026 09:42
Modified
04/05/2026 11:00
Tags
2026-04-30 abcdoor python backdoor silver fox valleyrat winos 4.0
Related entities
46 observables, 1 intrusion sets (apt), 19 techniques (mitre), 4 malware, 26 others

Description

The threat group conducted phishing campaigns in December 2025 and January 2026, impersonating tax authorities in India and Russia. Malicious emails contained archives with a modified Rust-based RustSL loader that deployed backdoor. Over 1600 malicious emails targeted organizations across industrial, consulting, retail, and transportation sectors. During investigation, a previously undocumented Python-based backdoor named was discovered, active since late 2024. The attacks utilized multi-stage infection chains involving encrypted payloads, custom modules, and various persistence mechanisms including Phantom Persistence technique. features remote control capabilities, screen broadcasting using ffmpeg, and file manipulation functions. The group employed sophisticated evasion techniques including geofencing, string encryption, and mimicking legitimate VPN services.

Related entities

Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.

Observables (46)

  • 108.187.42.63
  • 57.133.212.106
  • 45.192.219.60
  • 207.56.138.28
  • 192.163.167.14
  • 207.56.119.216
  • 108.187.41.221
  • 154.82.81.205
  • 154.82.81.192
  • 108.187.37.85
  • 192.229.115.229
  • 192.238.205.47
  • http://154.82.81.205/YD20251001143052.zip'
  • https://mcagov.cc/download.php?type=exe.
  • https://sudsmama.com/api/download/c8ea0a2c-42c2-4159-9337-ee774ed5e7cb
  • https://sudsmama.com/api/download/50e24b3a-8662-4d2f-9837-8cc62aa8f697
  • https://abc.fetish-friends.com/setup/install
  • https://abc.fetish-friends.com/setup?channel=jiqi_0819
  • https://roldco.com/api/download/c51bbd17-ef08-4d6c-ab4c-d7bf49483dd6
  • https://abc.fetish-friends.com/uploads/appclient.zip
  • https://abc.fetish-friends.com/setup/install?channel=whatsapp_0826
  • https://vnc.kcii2.com
  • http://154.82.81.205/YN20250923193706.zip.
  • http://154.82.81.205/YD20251001143052.zip
  • https://abc.fetish-friends.com/setup/install?channel=dianhua-0903
  • 0eb664b45200c9b4e954162128d2c13bc693f6ae57650b49a3a9fb9b2e821110
  • 3296bd88e0a85ebad4f429878bf8bca16ac43e609133b4781f88a339c37bfe9f
  • e96091fd784eca3c56ce4a703b22f5e5941464aec32a6f356ad0f99ea4422f04
  • 905efac09785631ed57e57a6236b87c04f53b9e0a3bf697df71365814dee6362
  • 4518249127a023adb81d232452395e1506a3766eac1664b8a63c3d0e7dcc2dc2
  • 67c87dafb26de3b2b15b93a4ccd291e95682b9adf4ecb083b7c54286245ebd87
  • 795f939f8b9a2d56a3e8a609cab81032d9122a7d56ea852d95cd668f09139a3a
  • 4b4dcbd26f08dca7e3e5721f0f5bdc6274e1edc0556e0749a426ec22ff83ca10
  • 5d8c7fffc0992639edbca893366f19d5784af2d77e3cfcbaa445a10c503f935a
  • ffaea868dc1d68211664133e3b69f7025f1406bd4647d77f3aee945d745ad4bc
  • dbfa683cd8c600ed0e90f58eb965ca38b1561fa99d12cb7f252e8608da217df2
  • 949b0bea5bd7feab58e280dde49310521920b655714c5f1b7d9de8719373dcd7
  • 0cffb8b8fd11f300b5477ff23ec576f66ab65c021d995fa5495827237e679d93
  • f0e4d25b9b707be029e915ecb9fe61132cce89e138de36fef5e1edef551d7c25
  • c925048d6da2a2cd30ad521c1153f56366ee4bacbe84c8b929c1be7f9f2aa445
  • 5be9fc4ad9ae3e791d18427f4592c234dfb612aec39b219e8ec57424f61cbab3
  • d8f9f8bc811f428dd9605000470c5f496f46145e2d3d8b7e750bca901e55fcdd
  • 285c764e84ca830d90e75df06ee5445693f79058142b85b5e054c5c78c0421aa
  • fedf8678350dd29713be43f6115a2a8361f011b4b2eaf51e57eb2ffd758caa83
  • 56366c635d7b2ae88e8c8e9511f0c12e1cf1173b8be8c8f211b38a26d3a21e1c
  • a553833771f3e75ec3132f1295284e0e885e048b288f37ff8546677e5cb42f2f

Intrusion sets (APT) (1)

  • Silver Fox
    AlienVault Confidence 100
    First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 00:22 · Modified 21/12/2025 00:22

Techniques (MITRE) (19)

Malware (4)

  • ValleyRAT
    Family
    Published 08/06/2026 10:30 · Modified 08/06/2026 10:30
  • ABCDoor
    Family
    Published 08/06/2026 10:30 · Modified 08/06/2026 10:30
  • RustSL
    Family
    Published 30/04/2026 09:42 · Modified 30/04/2026 09:42
  • Winos 4.0
    Family
    Published 30/04/2026 09:42 · Modified 30/04/2026 09:42

Others (26)

  • India
  • British Indian Ocean Territory
  • South Africa
  • Japan
  • Indonesia
  • Russian Federation
  • Manufacturing
  • Retail
  • Transportation
  • uuid.rs
  • vnc.kcii2.com
  • abc.petitechanson.com
  • obfuscate.io
  • ipv4.rs
  • abc.woopami.com
  • abc.ilptour.com
  • roldco.com
  • abc.doublemobile.com
  • guard.rs
  • abc.sudsmama.com
  • abc.3mkorealtd.com
  • mcagov.cc
  • abc.fetish-friends.com
  • sudsmama.com
  • steganography.rs
  • abc.haijing88.com

External references