{ "name": "Silver Fox uses the new ABCDoor backdoor to target organizations in Russia and India", "slug": "silver-fox-uses-the-new-abcdoor-backdoor-to-target-organizations-in-russia-and-india", "description": "The Silver Fox threat group conducted phishing campaigns in December 2025 and January 2026, impersonating tax authorities in India and Russia. Malicious emails contained archives with a modified Rust-based RustSL loader that deployed ValleyRAT backdoor. Over 1600 malicious emails targeted organizations across industrial, consulting, retail, and transportation sectors. During investigation, a previously undocumented Python-based backdoor named ABCDoor was discovered, active since late 2024. The attacks utilized multi-stage infection chains involving encrypted payloads, custom ValleyRAT modules, and various persistence mechanisms including Phantom Persistence technique. ABCDoor features remote control capabilities, screen broadcasting using ffmpeg, and file manipulation functions. The group employed sophisticated evasion techniques including geofencing, string encryption, and mimicking legitimate VPN services.", "published": "2026-04-30T07:42:51+00:00", "created_at": "2026-04-30T07:42:51+00:00", "modified_at": "2026-05-04T09:00:22+00:00", "created_at_opencti": "2026-04-30T07:42:51+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2026-04-30", "abcdoor", "python backdoor", "silver fox", "valleyrat", "winos 4.0" ], "related_entities": { "observables": [ { "id": "", "name": "108.187.42.63" }, { "id": "", "name": "57.133.212.106" }, { "id": "", "name": "45.192.219.60" }, { "id": "", "name": "207.56.138.28" }, { "id": "", "name": "192.163.167.14" }, { "id": "", "name": "207.56.119.216" }, { "id": "", "name": "108.187.41.221" }, { "id": "", "name": "154.82.81.205" }, { "id": "", "name": "154.82.81.192" }, { "id": "", "name": "108.187.37.85" }, { "id": "", "name": "192.229.115.229" }, { "id": "", "name": "192.238.205.47" }, { "id": "", "name": "http://154.82.81.205/YD20251001143052.zip'" }, { "id": "", "name": "https://mcagov.cc/download.php?type=exe." }, { "id": "", "name": "https://sudsmama.com/api/download/c8ea0a2c-42c2-4159-9337-ee774ed5e7cb" }, { "id": "", "name": "https://sudsmama.com/api/download/50e24b3a-8662-4d2f-9837-8cc62aa8f697" }, { "id": "", "name": "https://abc.fetish-friends.com/setup/install" }, { "id": "", "name": "https://abc.fetish-friends.com/setup?channel=jiqi_0819" }, { "id": "", "name": "https://roldco.com/api/download/c51bbd17-ef08-4d6c-ab4c-d7bf49483dd6" }, { "id": "", "name": "https://abc.fetish-friends.com/uploads/appclient.zip" }, { "id": "", "name": "https://abc.fetish-friends.com/setup/install?channel=whatsapp_0826" }, { "id": "", "name": "https://vnc.kcii2.com" }, { "id": "", "name": "http://154.82.81.205/YN20250923193706.zip." }, { "id": "", "name": "http://154.82.81.205/YD20251001143052.zip" }, { "id": "", "name": "https://abc.fetish-friends.com/setup/install?channel=dianhua-0903" }, { "id": "", "name": "0eb664b45200c9b4e954162128d2c13bc693f6ae57650b49a3a9fb9b2e821110" }, { "id": "", "name": "3296bd88e0a85ebad4f429878bf8bca16ac43e609133b4781f88a339c37bfe9f" }, { "id": "", "name": "e96091fd784eca3c56ce4a703b22f5e5941464aec32a6f356ad0f99ea4422f04" }, { "id": "", "name": "905efac09785631ed57e57a6236b87c04f53b9e0a3bf697df71365814dee6362" }, { "id": "", "name": "4518249127a023adb81d232452395e1506a3766eac1664b8a63c3d0e7dcc2dc2" }, { "id": "", "name": "67c87dafb26de3b2b15b93a4ccd291e95682b9adf4ecb083b7c54286245ebd87" }, { "id": "", "name": "795f939f8b9a2d56a3e8a609cab81032d9122a7d56ea852d95cd668f09139a3a" }, { "id": "", "name": "4b4dcbd26f08dca7e3e5721f0f5bdc6274e1edc0556e0749a426ec22ff83ca10" }, { "id": "", "name": "5d8c7fffc0992639edbca893366f19d5784af2d77e3cfcbaa445a10c503f935a" }, { "id": "", "name": "ffaea868dc1d68211664133e3b69f7025f1406bd4647d77f3aee945d745ad4bc" }, { "id": "", "name": "dbfa683cd8c600ed0e90f58eb965ca38b1561fa99d12cb7f252e8608da217df2" }, { "id": "", "name": "949b0bea5bd7feab58e280dde49310521920b655714c5f1b7d9de8719373dcd7" }, { "id": "", "name": "0cffb8b8fd11f300b5477ff23ec576f66ab65c021d995fa5495827237e679d93" }, { "id": "", "name": "f0e4d25b9b707be029e915ecb9fe61132cce89e138de36fef5e1edef551d7c25" }, { "id": "", "name": "c925048d6da2a2cd30ad521c1153f56366ee4bacbe84c8b929c1be7f9f2aa445" }, { "id": "", "name": "5be9fc4ad9ae3e791d18427f4592c234dfb612aec39b219e8ec57424f61cbab3" }, { "id": "", "name": "d8f9f8bc811f428dd9605000470c5f496f46145e2d3d8b7e750bca901e55fcdd" }, { "id": "", "name": "285c764e84ca830d90e75df06ee5445693f79058142b85b5e054c5c78c0421aa" }, { "id": "", "name": "fedf8678350dd29713be43f6115a2a8361f011b4b2eaf51e57eb2ffd758caa83" }, { "id": "", "name": "56366c635d7b2ae88e8c8e9511f0c12e1cf1173b8be8c8f211b38a26d3a21e1c" }, { "id": "", "name": "a553833771f3e75ec3132f1295284e0e885e048b288f37ff8546677e5cb42f2f" } ], "malware": [ { "id": "f8879be0-dea7-4e8d-9aba-78c8ac8c6207", "name": "ValleyRAT", "slug": "valleyrat" }, { "id": "d9d115e9-0360-475d-9c34-93a3393a032d", "name": "ABCDoor", "slug": "abcdoor" }, { "id": "legacy:malware:9503375f259a1030", "name": "RustSL", "slug": "rustsl" }, { "id": "legacy:malware:eab8a5b9068d7c7d", "name": "Winos 4.0", "slug": "winos-40" } ], "intrusion_sets": [ { "id": "9737bc5a-30ea-42a9-8733-7a4540a14ef2", "name": "Silver Fox", "slug": "silver-fox" } ], "attack_patterns": [ { "id": "32817170-4c07-427e-b8a5-80a733ae2550", "name": "T1497" }, { "id": "eaff4611-3c78-4127-8745-726f77ed68ba", "name": "T1070.004" }, { "id": "c3af9fd7-d307-4df4-9220-cc627938fb85", "name": "T1055" }, { "id": "a72ebeae-8e62-4039-8135-e9c611011fdc", "name": "T1573" }, { "id": "667462db-9031-48eb-893a-05d35f9330a7", "name": "T1056.001" }, { "id": "c9ee9b30-ba84-4c24-95e9-e8242d42af3f", "name": "T1071.001" }, { "id": "81ee4813-4f68-4984-bec1-980d7c5b56eb", "name": "T1132" }, { "id": "196f2a64-c55b-47a6-8e38-beb76ba700b6", "name": "T1204.002" }, { "id": "40f0d8e3-bcd7-4b97-a958-f55815698fc5", "name": "T1053.005" }, { "id": "dc410646-9cdd-427b-92e7-179a54f78f90", "name": "T1566.001" }, { "id": "60972cf6-e90b-4600-af3c-13c468391d9c", "name": "T1106" }, { "id": "0c836307-129e-4ff7-a532-180c633cacba", "name": "T1027" }, { "id": "c12e0e03-aab0-4646-a929-e921a3d27f02", "name": "T1219" }, { "id": "5999052b-e9ae-49e8-9235-d9bf975c22af", "name": "T1547.001" }, { "id": "870bd958-53a3-4d25-9f23-00aa8bd6674d", "name": "T1102" }, { "id": "0156fcda-e385-4662-b388-086c3e16feec", "name": "T1140" }, { "id": "45082a8e-9c79-470e-ad1b-decac7188e8f", "name": "T1083" }, { "id": "8e0fea81-4d54-4e88-a7dd-3aa8b26558ed", "name": "T1113" }, { "id": "f4a450ef-8297-42e5-9e47-01162138baa2", "name": "T1115" } ], "others": [ { "id": "", "name": "India" }, { "id": "", "name": "British Indian Ocean Territory" }, { "id": "", "name": "South Africa" }, { "id": "", "name": "Japan" }, { "id": "", "name": "Indonesia" }, { "id": "", "name": "Russian Federation" }, { "id": "", "name": "Manufacturing" }, { "id": "", "name": "Retail" }, { "id": "", "name": "Transportation" }, { "id": "", "name": "uuid.rs" }, { "id": "", "name": "vnc.kcii2.com" }, { "id": "", "name": "abc.petitechanson.com" }, { "id": "", "name": "obfuscate.io" }, { "id": "", "name": "ipv4.rs" }, { "id": "", "name": "abc.woopami.com" }, { "id": "", "name": "abc.ilptour.com" }, { "id": "", "name": "roldco.com" }, { "id": "", "name": "abc.doublemobile.com" }, { "id": "", "name": "guard.rs" }, { "id": "", "name": "abc.sudsmama.com" }, { "id": "", "name": "abc.3mkorealtd.com" }, { "id": "", "name": "mcagov.cc" }, { "id": "", "name": "abc.fetish-friends.com" }, { "id": "", "name": "sudsmama.com" }, { "id": "", "name": "steganography.rs" }, { "id": "", "name": "abc.haijing88.com" } ] }, "external_refs": [ "https://securelist.com/silver-fox-tax-notification-campaign/119575/", "https://otx.alienvault.com/pulse/69f3241b2759ee934874df9f" ] }