In December 2025, Kaspersky, a cyber security company, detected a wave of malicious emails which very closely resembled official emails from the Income Tax Department of India. A few weeks later, in January 2026, a similar campaign began targeting Russian organisations. After that the same campaign was launched in Indonesia.
Kaspersky says that this malicious email is an ‘APT‘ (Advanced Persistent Threat) campaign, disguising malicious files as documents related to tax violations. Upon infection, attackers could gain remote access to affected devices and exfiltrate sensitive data.
Kaspersky says that they have attributed this activity to the Silver Fox threat group as both waves of these malicious email campaigns followed a nearly identical structure in which phishing emails were styled as official notices regarding tax audits or prompted users to download an archive containing a “list of tax violations”.
Now as soon as you click on downloading this archive, there is a modified Rust-based loader pulled from a public repository. This loader would download and execute the well-known ValleyRAT backdoor.
During Kaspersky’s investigation, they also discovered that the attackers were delivering a new ValleyRAT plugin to victim devices, which functioned as a loader for a previously undocumented Python-based backdoor. They have named this backdoor ABCDoor.
Retrospective analysis by Kaspersky reveals that ABCDoor has been part of the Silver Fox arsenal since at least late 2024 and has been used for real-world attacks from the first quarter of 2025 till date.
The phishing email which closely resembles the official Income Tax Department communication:
How did this affect Indians?
According to the press release dated May 5, 2026, Kaspersky Global Research & Analysis Team (GReAT) analyzed several new waves of cyberattacks conducted by the SilverFox group, observed since December 2025. The campaign targeted companies in India, Indonesia, South Africa and Russia across industrial, consulting, trade and transportation sectors.
The phishing emails were crafted to appear as official tax audit notifications or to prompt recipients to download an archive purportedly containing a “list of tax violations.” By leveraging the perceived authority and urgency of communications from tax agencies, the threat actor aimed to persuade victims to download the file and trigger the attack chain. Between January and February alone, more than 1,600 malicious emails were recorded.
Phishing email distributed to victims in India
According to Kaspersky, the threat actor expanded its toolkit by deploying a new Python-based backdoor, dubbed as ABCDoor, via the previously known ValleyRAT backdoor used in earlier attacks. ABCDoor was present in the APT arsenal from the end of 2024 and was used in attacks throughout 2025.
Kaspersky says this enables attackers to upload and download files, and also to remotely control infected systems by streaming multiple victim screens simultaneously in near real time, accessing the clipboard, and updating itself.
In addition, a modified and previously undocumented version of RustSL was used to deliver ValleyRAT, first deployed by the threat actor in late December 2025.
Anton Kargin, senior security researcher in Kaspersky GReAT says that social engineering played a key role in this campaign. The group exploited users’ tendency to trust communications from official agencies, such as tax authorities. At the same time, SilverFox employed a multi-stage delivery approach for the primary malicious payload and utilized multiple email addresses and domains.
Kargin says: “This increases the overall risk posed by such attacks, as it helps minimize the likelihood of detection and disruption across the attack chain.”
Previously, SilverFox targeted enterprises in Asia in sectors including telecommunications, energy, logistics and finance.
Here’s what to do
To stay safe you can follow the below precautionary measures:
- Regularly improve your level of digital literacy. This can be achieved through specialized courses or training programs.
- Use a solution that can automatically block suspicious emails, scan password-protected archives and apply CDR technology.
- Provide cybersecurity specialists with access to cyber threat intelligence, so that you can stay informed about the latest attacker techniques, tactics and procedures.
- Protect infrastructure against a wide range of threats by using solutions from cyber security companies that provide real-time protection, threat visibility, investigation and advanced response capabilities.
Read more at: https://economictimes.indiatimes.com/wealth/save/saturday-bank-holiday-are-banks-open-or-closed-today-on-may-9-2026/articleshow/130959453.cms?
