The Silver Fox threat group is actively targeting industrial and retail organizations across multiple countries using sophisticated phishing campaigns to deploy the ValleyRAT backdoor and the new ABCDoor malware.

Key Points

• Silver Fox launched over 1,600 malicious emails between December 2025 and February 2026, masquerading as official tax authority correspondence.
• The campaign utilizes a customized Rust-based loader, "Silver Fox RustSL," which features advanced sandbox detection and geolocation-based geofencing.
• Attackers deploy the ValleyRAT backdoor alongside a previously undocumented Python-based backdoor named ABCDoor, which has been in development since late 2024.
• ABCDoor uses legitimate tools like ffmpeg for screen capturing and mimics the directory structure of the Tailscale VPN service to evade detection.
• Targeted countries include India, Russia, Indonesia, South Africa, and Japan, with the malware specifically configured to verify the victim's location before execution.

Why it Matters

This campaign demonstrates a significant evolution in the Silver Fox group's tactics, specifically through the use of multi-stage infection chains and the integration of custom Python-based backdoors. By mimicking legitimate software and exploiting trust in government communications, these attackers pose a persistent threat to global enterprise security and data integrity.