Attack Chain and Initial Delivery
The Silver Fox cybercrime group, operating out of China, has launched a targeted phishing campaign against organizations in Russia and India. The attacks began in December 2025 using emails that impersonated the Indian Income Tax Department, followed by a similar wave aimed at Russian entities. These emails contained PDF files with links that led victims to download archives from a malicious domain. Inside each archive was an executable disguised as a PDF file. This executable was a modified version of an open source shellcode loader called RustSL. Kaspersky researchers found that the loader performed geofencing checks and virtual machine detection before unpacking its encrypted payload.
Malware Deployment and Capabilities
Once activated, the RustSL loader downloaded the ValleyRAT backdoor, also known as Winos 4.0. The core component of ValleyRAT handled command and control communications and executed additional modules. One of these custom modules was a previously undocumented Python based backdoor called ABCDoor. ABCDoor contacted an external server to carry out tasks such as capturing screenshots, controlling mouse and keyboard input, managing files and processes, and stealing clipboard contents. Some loader variants also used a technique called Phantom Persistence to survive reboots by intercepting system shutdown signals and forcing the machine to restart under the guise of a software update.
Source: Thehackernews
