Silver Fox Phishing Campaign Delivers ValleyRAT and New ABCDoor Backdoor
The China-linked threat group Silver Fox ran a phishing campaign that impersonated tax authorities in India and Russia to infect organizations with ValleyRAT and a newly documented Python backdoor, ABCDoor. Researchers said the activity began with fake tax notices sent as PDF attachments that directed victims to download a malicious archive. That archive contained a modified Rust-based loader, RustSL, which used geofencing, environment checks, stealth features, and persistence mechanisms before deploying ValleyRAT and then ABCDoor. More than 1,600 malicious emails were observed between early January and early February 2026, with victims spanning the industrial, consulting, retail, and transportation sectors.
Analysis tied ABCDoor to Silver Fox’s toolkit since at least late 2024, with confirmed operational use starting in early 2025. On infected Windows systems, the malware established persistence through the Run registry key and a scheduled task named AppClient, concealed files under C:\ProgramData\Tailscale, and abused pythonw.exe and ffmpeg.exe to blend in while enabling surveillance, remote interaction, module execution, command-and-control, and data exfiltration. Researchers also identified a new ValleyRAT plugin that acted as a loader for ABCDoor, showing the group is expanding a malware chain built for covert access and follow-on control.
Timeline
May 5, 2026
Researchers disclose Silver Fox's new ABCDoor malware
Security reporting published on 2026-05-05 detailed Silver Fox's use of ValleyRAT together with the newly documented ABCDoor backdoor. The reports described the malware chain, persistence methods, and use of a modified Rust-based loader in phishing attacks.
May 5, 2026
Cisco Talos publicly attributes government intrusions to UAT-8302
On publication of its report, Cisco Talos linked the South America and southeastern Europe government targeting to the China-nexus actor UAT-8302. Talos also assessed the group likely works closely with other Chinese-speaking or China-aligned clusters because of extensive tooling overlap.
Jan 1, 2026
Silver Fox sends over 1,600 phishing emails across sectors
Between early January and early February 2026, researchers observed more than 1,600 malicious emails tied to the Silver Fox campaign. The activity targeted organizations across multiple countries and industry sectors.
Jan 1, 2026
Silver Fox expands campaign to Russia with tax-audit lures
In January 2026, Silver Fox repeated the phishing operation against Russian targets using tax-themed audit notices. Organizations in industrial, consulting, retail, and transportation sectors were among those affected.
Dec 1, 2025
Silver Fox launches fake Indian tax notice phishing campaign
In December 2025, Silver Fox began sending phishing emails impersonating India's Income Tax Department to deliver malware. The infection chain used PDF lures linking to malicious archives that deployed a Rust-based loader and ultimately ValleyRAT.
Jan 1, 2025
UAT-8302 targets government agencies in southeastern Europe
Cisco Talos attributed additional 2025 activity by UAT-8302 to intrusions against government agencies in southeastern Europe. Researchers said the actor used shared malware such as NetDraft, CloudSorcerer, SNOWLIGHT, SNOWRUST, Deed RAT, Zingdoor, and Draculoader.
Dec 19, 2024
ABCDoor backdoor active in Silver Fox toolkit by late 2024
Kaspersky assessed that the newly documented Python-based backdoor ABCDoor had been in Silver Fox's malware arsenal since at least 2024-12-19, with likely toolkit presence beginning in late 2024. This predates the later phishing campaigns in India and Russia.
Dec 1, 2024
UAT-8302 begins targeting South American government entities
Cisco Talos said the China-nexus cluster UAT-8302 has targeted government entities in South America since late 2024. The campaign involved post-exploitation activity using shared China-aligned tooling including NetDraft and other malware families.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Threat Actors
Malware
Sources
Related Stories
SilverFox Expands ValleyRAT and Gh0stRAT Campaigns Against Chinese-Speaking Targets
Breakglass Intelligence linked multiple March and April malware waves to the **SilverFox** threat actor, describing a broad Chinese-language campaign built around **ValleyRAT** on the `Winos4.0` framework and supported by **Gh0stRAT** and **RustyStealer**. The operation used emotionally charged lures tied to layoffs, disciplinary notices, scam-compound violence, banking fraud, censorship-bypass tools, fake utilities, and business apps, with delivery through WinRAR self-extracting archives, MSI and ZIP packages, DLL sideloading, process hollowing, and staged downloads. One ValleyRAT chain disguised itself as a WeChat-related document, extracted files into `C:\WeChat\`, launched a legitimate WeChat binary as a decoy, and then decrypted and injected the payload while applying Chinese-locale geofencing, anti-VM, and anti-debug checks. Researchers said the malware families provided complementary functions including remote access, keylogging, screenshot capture, clipboard hijacking, credential theft, and persistence, and that targeting extended from mainland Chinese users to diaspora communities, Taiwanese organizations, and some healthcare entities in North America. The infrastructure behind the campaign scaled rapidly, with reporting tying the activity to **22 to 75 command-and-control endpoints** and more than 17 domains across Alibaba Cloud, Tencent Cloud, AWS Hong Kong, Vultr, Azure, Huawei Cloud, and other providers, with Hong Kong serving as a major hub. Analysts connected the clusters through shared protocol behavior, mutexes, ValleyRAT DLL exports, recurring registrar patterns, use of the `codemark` builder variant, and repeated OPSEC failures including exposed RDP services, self-signed certificates, Python SimpleHTTP payload hosting, a Windows host identified as `TEDDY2012`, and domain registration details that appeared to expose operator identity. Separate reporting also described a related **Gh0stRAT/Farfli** "WisemanSupport" campaign using TCP/6658 and hardcoded infrastructure, reinforcing the continued use of Chinese-nexus RAT tooling and overlapping tradecraft in active intrusion operations.
1 weeks ago
Silver Fox Phishing Campaign Targets Indian Organizations With ValleyRAT
The Chinese threat actor known as **Silver Fox** has launched a targeted phishing campaign against Indian organizations, using income tax-themed emails to deliver the modular remote access trojan **ValleyRAT**. Attackers impersonate the Indian Income Tax Department, sending emails with decoy PDF attachments that, when opened, direct victims to a malicious website hosting a ZIP archive. This archive contains a disguised installer that leverages DLL hijacking, specifically abusing a legitimate executable (`thunder.exe`) and a malicious DLL (`libexpat.dll`), to establish persistent access and evade detection. The campaign demonstrates a sophisticated multi-stage infection chain, with the initial payload acting as a loader for subsequent malware modules designed to maintain deep access to compromised systems. Researchers from CloudSEK have attributed this campaign to Silver Fox, correcting previous misattributions to other threat groups. The group, also known as SwimSnake and Void Arachne, has expanded its targeting beyond Chinese-speaking entities to include Indian public, financial, medical, and technology sectors. The use of socially engineered tax documents and trusted file formats highlights the attackers' ability to bypass traditional security controls, while the complex kill chain and modular malware architecture underscore the evolving threat posed by Silver Fox to Indian organizations.
1 months ago
ValleyRAT Malware Campaigns Targeting Chinese Organizations and Job Seekers
Threat actors have launched multiple campaigns distributing the ValleyRAT remote access trojan (RAT), targeting both organizations in China and job seekers. In one campaign, the group known as Silver Fox used search engine optimization (SEO) poisoning and fake Microsoft Teams installers to lure Chinese-speaking users, including those in Western companies operating in China, into downloading a trojanized setup file. The installer, disguised with Russian linguistic elements to mislead attribution, deploys ValleyRAT, which enables remote control, data exfiltration, and persistent access to infected systems. The malware loader checks for security software like 360 Total Security and manipulates Microsoft Defender exclusions to evade detection. A separate ValleyRAT campaign has been observed targeting job seekers via malicious emails that leverage a weaponized Foxit PDF Reader for DLL side-loading. This campaign uses social engineering to trick users into executing the malware, which then allows attackers to monitor activity, steal sensitive data, and potentially compromise HR professionals as well. Both campaigns demonstrate a high level of sophistication, utilizing layered obfuscation, dynamic execution techniques, and strategic targeting to maximize infection rates and evade security controls. Security vendors have updated detection and hunting capabilities to address these threats, emphasizing the need for vigilance among organizations and individuals alike.
1 months ago