Imagine you receive a letter that looks exactly like it came from your bank — same logo, same official tone, same format. But it's actually written by a fraudster trying to steal your money. That's phishing, except it happens over email.
In the SilverFox campaign, cybercriminals sent emails designed to look like official notices from India's Income Tax Department. The emails told recipients they had "tax violations" and asked them to download a file to review the details. But that file wasn't a tax document — it was malware, software built to spy on you, steal your passwords, and hand control of your computer to hackers sitting somewhere else entirely.
You didn't need to be careless to fall for it. The emails were deliberately crafted to look convincing, and they exploited one of the oldest tricks in the book: fear of the taxman.
Introduction
In December 2025, an alert fired inside a mid-sized Indian logistics company's inbox. An employee received what appeared to be a formal notice from the Income Tax Department, complete with official-looking branding and an urgent tone — warning of pending "tax violations." The employee downloaded the attached archive. Within minutes, the company's endpoint was silently compromised, credentials were being harvested, and an attacker thousands of kilometres away was watching the victim's screen in near real time.
This was not an isolated incident. Kaspersky's Global Research and Analysis Team (GReAT) has now confirmed this attack as part of a coordinated Advanced Persistent Threat (APT) campaign attributed to the SilverFox threat group. Between January and February 2026 alone, over 1,600 malicious emails were recorded targeting companies across India, Indonesia, South Africa, and Russia. The affected sectors span industrial operations, consulting, trade, and transportation — organisations that handle sensitive financial, operational, and client data at scale.
This post breaks down exactly how the SilverFox campaign works, what malware it deploys, how security teams can detect it, and what practical defences should be implemented now.
How the SilverFox Phishing Attack Chain Works
SilverFox's effectiveness stems not from technical brute force but from a methodical exploitation of human trust. The group understood a simple truth: an employee who genuinely fears an income tax violation doesn't stop to question the sender's domain.
Stage 1 — The Lure (MITRE ATT&CK: T1566.001 — Spearphishing Attachment)
Phishing emails were crafted to closely mimic official communications from India's Income Tax Department. The emails carried subject lines framing the content as urgent tax audit notices. Recipients were prompted to download a compressed archive purportedly containing their "list of tax violations."
The social engineering here was precise. By invoking a government authority with the power to audit and penalise, the attackers manufactured immediate psychological urgency — bypassing the critical thinking that might otherwise stop a recipient from opening an unknown file. This technique maps directly to MITRE ATT&CK T1566 (Phishing) and leverages the principle of authority, one of the six core influence levers identified in social engineering research.
Stage 2 — The Loader (MITRE ATT&CK: T1574 — Hijack Execution Flow)
Once the archive was opened and the file executed, a modified, previously undocumented version of RustSL — a Rust-based loader — was triggered. It pulled its payload from a public repository, making it harder for traditional signature-based antivirus tools to flag. This is a deliberate evasion tactic: hosting malicious payloads on legitimate-looking public infrastructure (such as code repositories) reduces the chance of domain-level blacklisting.
The loader's job was straightforward — download and execute the next stage of the attack without drawing attention.
Stage 3 — ValleyRAT Deployment (MITRE ATT&CK: T1055 — Process Injection)
The loader delivered ValleyRAT, a well-documented Remote Access Trojan previously associated with SilverFox operations targeting Asian enterprises in telecommunications, energy, and finance. ValleyRAT establishes persistence, enables command-and-control (C2) communication, and acts as a staging ground for further payload delivery.
Stage 4 — ABCDoor Backdoor (MITRE ATT&CK: T1059.006 — Python)
The most significant new development in this campaign is the deployment of ABCDoor, a newly documented Python-based backdoor introduced via ValleyRAT. Kaspersky confirms ABCDoor has been part of SilverFox's arsenal since at least late 2024 and has been used in active attacks throughout 2025.
ABCDoor's capabilities include:
- Uploading and downloading files to and from the infected system
- Streaming multiple victim screens simultaneously in near real time
- Accessing and exfiltrating clipboard contents
- Self-updating to evade detection as signatures evolve
Important: ABCDoor's screen-streaming capability means attackers can observe employee activity in real time — including MFA codes, email content, and financial transactions — without the victim having any indication of surveillance.
The Multi-Stage Delivery Architecture: Why It's Hard to Stop
SilverFox did not rely on a single payload or a single email address. The group deliberately used multiple email addresses and multiple domains throughout the campaign. This is not accidental — it is a calculated operational security strategy.
| Attack Stage | Method Used | Detection Difficulty |
|---|---|---|
| Initial delivery | Spearphishing email (T1566.001) | Medium — email gateways may catch known domains |
| Loader execution | Modified RustSL from public repository | High — legitimate infrastructure, no blacklist match |
| RAT deployment | ValleyRAT via process injection (T1055) | High — lives in memory, limited disk footprint |
| Backdoor install | ABCDoor (Python-based, self-updating) | Very High — polymorphic updates defeat signature detection |
| Persistence | Multi-domain C2 rotation | Very High — no single IP to block |
According to Kaspersky senior security researcher Anton Kargin, the multi-stage approach "helps minimize the likelihood of detection and disruption across the attack chain." In practice, this means that even if one part of the chain is flagged by security tools, the campaign continues via alternate infrastructure.
Pro Tip: A detection strategy that relies solely on IOC (Indicator of Compromise) blocking — IP blacklists, domain filters — will fail against this architecture. Behavioural detection, focusing on what the malware does rather than what it is, is significantly more effective here.
Who Is SilverFox and What Are They After?
SilverFox is a sophisticated APT group with a demonstrated history of targeting enterprises in Asia across sectors where sensitive data and financial systems converge: telecommunications, energy, logistics, and finance.
The December 2025 – May 2026 campaign marks a notable geographic expansion. Beginning in India, the campaign extended to Russia in January 2026, then Indonesia, and subsequently South Africa. The multi-country, multi-sector targeting pattern is consistent with nation-state-affiliated or commercially-motivated threat actors pursuing intelligence collection or data theft for financial gain.
The industries targeted in India — industrial operations, consulting, trade, and transportation — are particularly valuable from an intelligence standpoint. They hold supply chain data, client financial records, internal pricing, and in some cases connections to government contracts.
Why India Was the Starting Point
India represents an attractive target for several reasons that security practitioners should understand clearly. The country's digital transformation has significantly expanded enterprise attack surfaces. Many mid-sized companies in the targeted sectors have invested in digital tooling but lag on security maturity. Additionally, the filing-season rhythm of income tax compliance creates a recurring, predictable window in which tax-related communications feel routine and urgent — exactly the conditions a sophisticated attacker exploits.
Detection, Response, and Defence Framework
Understanding how to detect and contain this attack requires thinking across the full kill chain, not just endpoint protection.
Detection Methods by Attack Stage
| Attack Phase | Detection Method | Framework Reference |
|---|---|---|
| Phishing email delivery | Email gateway analysis, SPF/DKIM/DMARC validation | CIS Control 9, NIST CSF DE.CM-7 |
| Malicious archive execution | Endpoint behavioural analysis, sandboxing | MITRE ATT&CK T1566.001 |
| RustSL loader activity | Process creation monitoring, unsigned binary alerts | CIS Control 10 |
| ValleyRAT C2 communication | DNS anomaly detection, outbound traffic analysis | NIST CSF DE.AE-3 |
| ABCDoor screen streaming | Unusual network egress volume, UEBA tools | ISO 27001 A.12.4 |
Immediate Defensive Actions
For security teams responding to or preparing for SilverFox-style attacks, the following controls are directly relevant:
- Email authentication: Enforce DMARC, DKIM, and SPF across all domains. Impersonation of government agencies depends on email systems that fail to validate sender identity.
- Attachment sandboxing: Compressed archives (.zip, .rar) arriving from external senders should be detonated in an isolated sandbox before delivery to end users.
- Endpoint Detection and Response (EDR): Signature-based antivirus alone will not catch a self-updating Python backdoor. Behavioural EDR is non-negotiable.
- User awareness training: Employees in finance, HR, and administrative roles — those most likely to receive tax-related communication — need specific training on government impersonation attacks. Generic phishing awareness is insufficient.
- Network segmentation: Lateral movement post-infection is significantly constrained in well-segmented environments. If ABCDoor lands on one workstation, it should not be able to reach financial systems or domain controllers.
Important: India's Digital Personal Data Protection Act (DPDP Act) creates legal obligations around data breach notification. An undetected ABCDoor infection that results in credential or data exfiltration may constitute a notifiable breach. Organisations operating under GDPR due to EU customer relationships face additional exposure.
Incident Response if Compromise Is Suspected
If your SOC suspects a SilverFox-related infection, follow this prioritised sequence aligned with NIST SP 800-61:
- Isolate the affected endpoint immediately — disconnect from network without powering off (preserves volatile memory for forensics)
- Identify all outbound connections from the endpoint over the previous 72 hours
- Hunt for Python interpreter processes, unusual scheduled tasks, and clipboard-monitoring activity across adjacent systems
- Preserve a memory image before any remediation — ABCDoor operates largely in memory
- Notify legal and compliance teams if any customer or employee data may have been accessed
Key Takeaways
- SilverFox is an active APT group that used fake Income Tax Department emails to compromise Indian enterprises starting December 2025, expanding across four countries by early 2026.
- The campaign deploys a multi-stage attack chain: phishing email → RustSL loader → ValleyRAT RAT → ABCDoor Python backdoor — each stage designed to evade detection at the previous layer.
- ABCDoor enables real-time screen streaming, file exfiltration, and clipboard access, making it a serious threat to any environment handling financial or sensitive operational data.
- Behavioural detection (EDR, UEBA, DNS anomaly monitoring) is more effective than signature-based defences against this toolkit.
- Employee training must specifically address government-authority impersonation, not just generic phishing scenarios.
- Organisations with DPDP Act or GDPR obligations should assess whether existing breach detection capabilities would identify an ABCDoor infection within the required notification window.
Conclusion
The SilverFox campaign targeting Indian businesses is a textbook example of why sophisticated attackers no longer need to break through defences — they walk through the front door, dressed as the taxman. The combination of authoritative impersonation, multi-stage payload delivery, and a newly evolved backdoor with real-time surveillance capabilities makes this a materially dangerous campaign, not a routine phishing wave.
What makes it more concerning is what it reveals about attacker strategy: the weakest link in the security chain is not a misconfigured firewall or an unpatched server. It is the moment an employee, under perceived institutional pressure, downloads a file without questioning it. No technical control fully substitutes for an organisation where employees understand that legitimate government agencies do not demand you download compressed archives.
The practical next step for any security team today: review your email gateway configuration against known DMARC failures, audit which employee populations receive external attachments without sandboxing, and run a tabletop exercise simulating a government-authority phishing scenario. These are the gaps SilverFox exploits — and they are fixable.
Frequently Asked Questions
What is the SilverFox APT group? SilverFox is an Advanced Persistent Threat (APT) group that has historically targeted enterprises across Asia in sectors including telecommunications, energy, logistics, and finance. The group is characterised by sophisticated multi-stage attack chains and an evolving malware toolkit. Their December 2025–2026 campaign marks a significant expansion in geographic targeting, hitting organisations in India, Indonesia, South Africa, and Russia.
How can I tell if an email is really from the Income Tax Department? India's Income Tax Department communicates through the official portal (incometax.gov.in) and sends notices with a Document Identification Number (DIN) that can be verified online. The department does not ask taxpayers to download compressed archives (.zip or .rar files) via email. If you receive a tax-related email asking you to download a file, treat it as suspicious until verified through official channels directly — not through links or contact details provided in the email itself.
What should I do if I already opened the attachment? Immediately disconnect the affected computer from the internet and your office network (pull the network cable or disable Wi-Fi) without shutting the machine down. Contact your IT security team or a cybersecurity incident response provider. Do not use the machine to log into any other accounts. If you are an individual rather than part of an organisation, consider contacting CERT-In (India's Computer Emergency Response Team) and your bank if financial credentials may have been exposed.
Is ABCDoor detectable by standard antivirus software? Standard signature-based antivirus tools will struggle to detect ABCDoor reliably because it is Python-based, self-updating, and operates significantly in memory rather than as a persistent file on disk. Detection requires behavioural endpoint security tools (EDR) that flag abnormal process activity — such as a Python interpreter spawning unexpectedly, unusual clipboard access, or high-volume outbound network connections from a non-browser process.
Which Indian industries are most at risk from this campaign? Kaspersky's analysis of the active campaign identifies industrial companies, consulting firms, trade businesses, and transportation and logistics operators as primary targets. These sectors were specifically selected, likely because they hold supply chain data, client financial records, and in some cases relationships with government entities — all of which carry intelligence or monetisation value for the attacker.
Enjoyed this article?
Subscribe for more cybersecurity insights.