TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Kaspersky Securelist

Silver Fox uses the new ABCDoor backdoor to target organizations in Russia and India

Anton Kargin, Vladimir Gursky, Victoria Vlasova, Anna Lazaricheva · 6 days ago · Read original ↗

ATT&CK techniques detected

32 predictions
T1071.001Web Protocols
97%
“. ] com abc. 3mkorealtd [. ] com abc. sudsmama [. ] com abc. woopami [. ] com abc. ilptour [. ] com abc. petitechanson [. ] com abc. doublemobile [. ] com abcdoor loader c2s mcagov [. ] cc roldco [. ] com c2s for malicious remote control utilities vnc. kcii2 [. ] com distribution…”
T1486Data Encrypted for Impact
96%
“- cryptomanager : provides functions for encrypting and decrypting files and directories ( currently limited to dpapi ; asymmetric encryption functions lack implementation ) - utils : auxiliary functions ( file upload / download, archive management, error log uploading, etc. ) up…”
T1566.001Spearphishing Attachment
96%
“silver fox uses the new abcdoor backdoor to target organizations in russia and india in december 2025, we detected a wave of malicious emails designed to look like official correspondence from the indian tax service. a few weeks later, in january 2026, a similar campaign began ta…”
T1059.001PowerShell
93%
“##rs written in c + + and go : - - c + + stagerthe file gst suvidha. exe ( md5 : 04194f8ddd0518fd8005f0e87ae96335 ) downloaded a loader ( md5 : f15a67899cfe4decff76d4cd1677c254 ) from hxxps : / / mcagov [. ] cc / download. php? type = exe. this loader then downloaded the abcdoor …”
T1204.002Malicious File
93%
“##6ba3393a3a865d1c43c3d2 ) - the file mca - ministry. exe ( md5 : 32407207e9e9a0948d167dca96c41d1a ) was also hosted on one of the servers used by the abcdoor stagers and was downloaded via tinyurl : hxxps : / / tinyurl [. ] com / 322ccxbf - > hxxps : / / sudsmama. com / api / do…”
T1566.001Spearphishing Attachment
92%
“238. 205 [. ] 47 45. 32. 108 [. ] 178 57. 133. 212 [. ] 106 154. 82. 81 [. ] 205 hashes phishing pdf files 1aa72cd19e37570e14d898dff3f2e380 79cd56fc9abf294b9ba8751e618ec642 0b9b420e3edd2ade5edc44f60ca745a2 6611e902945e97a1b27f322a50566d48 84e54c3602d8240ed905b07217c451cd sfx arch…”
T1055.001Dynamic-link Library Injection
87%
“also known as winos 4. 0 ) backdoor module named 上. dll from the attackers ’ server. the filename translates from chinese as “ online - module. dll ”, so for the sake of clarity, we ’ ll refer to it as the online module. the online module proceeds to load the core component of va…”
T1204.002Malicious File
78%
“##door has been part of the silver fox arsenal since at least late 2024 and has been utilized in real - world attacks from the first quarter of 2025 to the present day. email campaign in the january campaign, victims received an email purportedly from the tax service with an atta…”
T1105Ingress Tool Transfer
77%
“2025, silver fox varied their delivery techniques through several methods : - - - utilizing tinyurl : stagers initially queried tinyurl links, which then redirected to the full addresses for downloading the next stage : - hxxps : / / tinyurl [. ] com / 4nzkync8 - > hxxps : / / ro…”
T1027Obfuscated Files or Information
73%
“##ypted malicious payload format the encrypted payload file delivered by the silver fox rustsl loader followed this structure : if additional payload encoding was selected in the builder, the loader would decode the data before proceeding with decryption. the rsl _ encrypted _ pa…”
T1204.002Malicious File
73%
“##3d2 abcdoor. pyd files 13669b8f2bd0af53a3fe9ac0490499e5 5b998a5bc5ad1c550564294034d4a62c c50c980d3f4b7ed970f083b0d37a6a6a de8f0008b15f2404f721f76fac34456a 9bf9f635019494c4b70fb0a7c0fb53e4 a543b96b0938de798dd4f683dd92a94a fa08b243f12e31940b8b4b82d3498804 silver fox uses the new …”
T1219Remote Access Tools
68%
“a bug in the code. the primary characteristic of this backdoor is the absence of typical remote control features, such as creating a remote shell or executing arbitrary commands. instead, it implements two alternative methods for manipulating the infected device : - emulating a d…”
T1053.005Scheduled Task
66%
“functionality is significantly limited on windows ; rather than changing the process name itself, it creates a named object in the format python ( < pid > ) : < proctitle >. for example, for the appclient module, this object would appear as follows : we believe the use of setproc…”
T1055.001Dynamic-link Library Injection
65%
“exe, a statically linked, legitimate audio / video tool that the backdoor uses for screen capturing. once downloaded, the dll module extracts the archive using com methods and runs the following command to execute update. bat : the update. bat script copies the extracted files to…”
T1056.001Keylogging
64%
“task scheduler : the malware executes the command creates a task named “ appclient ” that runs every minute. the backdoor is built on the asyncio and socket. io python libraries. it communicates with its c2 via https and uses event handlers to processes messages asynchronously. t…”
T1204.002Malicious File
61%
“##bb ) ( related material. exe ) - november statement. zip ( md5 : b500e0a8c87dffe6f20c6e067b51afbf ) ( billreceipt. exe ) - december statement. zip ( md5 : 814032eec3bc31643f8faa4234d0e049 ) ( statement. exe ) - december statement. zip ( md5 : 90257aa1e7c9118055c09d4a978d4bee ) …”
T1027Obfuscated Files or Information
61%
“mac. rs, rc4. rs, and uuid. rs in the decrypt directory ). it utilized a similar payload structure where the first 32 bytes consist of a sha - 256 hash and the payload size. to decrypt the malicious payload, steganography. rs employed a custom xor - based algorithm. below is an e…”
T1059.001PowerShell
60%
“##a10350c ) or review the file. exe ( md5 : 043e457726f1bbb6046cb0c9869dbd7d ), which differed only in their icons. when executed, the sfx archive ran the following script : this script launched run _ direct. ps1, a powershell script contained within the archive. the run _ direct…”
T1204.002Malicious File
46%
“indonesia, south africa, and cambodia. the most recent versions of rustsl have also added japan to this list. according to our telemetry, users in all of these countries – with the exception of cambodia – have encountered rustsl. we observed the highest number of attacks in india…”
T1204.002Malicious File
45%
“. this specific sample was compiled in debug mode and logged its activity to rsl _ debug. log, where we identified strings corresponding to the implementation of the phantom persistence technique : attack chain and payloads during this phishing campaign, silver fox utilized two p…”
T1566.001Spearphishing Attachment
45%
“. this specific sample was compiled in debug mode and logged its activity to rsl _ debug. log, where we identified strings corresponding to the implementation of the phantom persistence technique : attack chain and payloads during this phishing campaign, silver fox utilized two p…”
T1140Deobfuscate/Decode Files or Information
42%
“##deb72cfcb2b2da983b3bb b500e0a8c87dffe6f20c6e067b51afbf 90257aa1e7c9118055c09d4a978d4bee f8371097121549feb21e3bcc2eeea522 814032eec3bc31643f8faa4234d0e049 run. deobfuscated. obf. js b53e3cc11947e5645dfbb19934b69833 run _ direct. ps1 0c3b60ffc4ea9ccce744bfa03b1a3556 silver fox ru…”
T1055.012Process Hollowing
40%
“##d 3c6aec25ebb2d51e1f16c2eef181c82a 7f27818e4244310a645984ccc41ea818 a75713f0310e74ffd24d91e5731c4d31 4fc8c78516a8c2130286429686e200ed 3417b9cf7acb22fae9e24603d4de1194 933f1cb8ed2ced5d0dd2877c5ea374e8 b5ca812843570dcf8e7f35cacab36d4a valleyrat plugins installing abcdoor 4a5195a3…”
T1204.002Malicious File
38%
“/ / cbdt. rar. ( translates from chinese as “ indian mailbox ” ). both versions of the campaign attempt to exploit the perceived importance of tax authority correspondence to convince the victim to download the document and initiate the attack chain. the method of using download …”
T1547.001Registry Run Keys / Startup Folder
38%
“functionality is significantly limited on windows ; rather than changing the process name itself, it creates a named object in the format python ( < pid > ) : < proctitle >. for example, for the appclient module, this object would appear as follows : we believe the use of setproc…”
T1204.002Malicious File
33%
“##d 3c6aec25ebb2d51e1f16c2eef181c82a 7f27818e4244310a645984ccc41ea818 a75713f0310e74ffd24d91e5731c4d31 4fc8c78516a8c2130286429686e200ed 3417b9cf7acb22fae9e24603d4de1194 933f1cb8ed2ced5d0dd2877c5ea374e8 b5ca812843570dcf8e7f35cacab36d4a valleyrat plugins installing abcdoor 4a5195a3…”
T1204.002Malicious File
32%
“##rs written in c + + and go : - - c + + stagerthe file gst suvidha. exe ( md5 : 04194f8ddd0518fd8005f0e87ae96335 ) downloaded a loader ( md5 : f15a67899cfe4decff76d4cd1677c254 ) from hxxps : / / mcagov [. ] cc / download. php? type = exe. this loader then downloaded the abcdoor …”
T1498Network Denial of Service
32%
“##8bf7131caaaa98a5dd63e27b2bc 44299a368000ae1ee9e9e584377b8757 e5e8ef65b4d265bd5fb77fe165131c2f 3279307508f3e5fb3a2420dec645f583 1020497bef56f4181aefb7a0a9873fb4 b23d302b7f23453c98c11ca7b2e4616e a234850dfdfd7ee128f648f9750dd2c4 4fc5ec1de89ce3fcdd3e70db4a9c39d1 a0d1223ca4327aa5f76…”
T1204.002Malicious File
31%
“##g and refine the malware ’ s performance additionally, abcdoor features self - update and self - deletion capabilities that generate detectable artifacts. updates are downloaded from a specific uri to % temp % \ tmpxxxxxxxx \ update. zip ( where xxxxxxxx represents random alpha…”
T1219.002Remote Desktop Software
31%
“a bug in the code. the primary characteristic of this backdoor is the absence of typical remote control features, such as creating a remote shell or executing arbitrary commands. instead, it implements two alternative methods for manipulating the infected device : - emulating a d…”
T1053.005Scheduled Task
30%
“task scheduler : the malware executes the command creates a task named “ appclient ” that runs every minute. the backdoor is built on the asyncio and socket. io python libraries. it communicates with its c2 via https and uses event handlers to processes messages asynchronously. t…”
T1204.002Malicious File
30%
“= jiqi _ 0819 - hxxps : / / abc. fetish - friends [. ] com / setup / install? channel = whatsapp _ 0826 - hxxps : / / abc. fetish - friends [. ] com / setup / install? channel = dianhua - 0903 - utilizing tinyurl : stagers initially queried tinyurl links, which then redirected to…”

Summary

The Silver Fox group is targeting companies in Russia and India by impersonating tax authorities to distribute ValleyRAT and the new ABCDoor backdoor.