silver-fox-abcdoor-2026-04-30
Silver Fox tax-themed RustSL to ValleyRAT and ABCDoor chain
Observed Silver Fox campaign using tax-themed delivery to distribute a customized RustSL loader, ValleyRAT, custom ValleyRAT modules and the ABCDoor Python backdoor. The chain models only infrastructure and delivery composition aspects; endpoint persistence and execution details are kept in ATT&CK annotations or notes.
likely
IIM v1.1
Silver Fox
needs review
Infrastructure map
Role-based chain map
entryredirectorstagingpayloadc2
Chain storyline
ordered IIM positions1
entry
file
tax-themed phishing email attachment or lure PDF
2
redirector
url
attacker-controlled external download website
3
staging
file
tax-related malicious archive
IIM-T024
4
staging
file
Silver Fox RustSL loader executable mimicking a document
IIM-T019
5
staging
file
encrypted RustSL payload file disguised with benign extension
6
payload
file
ValleyRAT Login module / Winos 4.0 payload
7
c2
ip
207.56.138.28
8
payload
file
custom ValleyRAT module 保86.dll / 保86.dll_bin
IIM-T019
9
staging
url
http://154.82.81.205/YD20251001143052.zip
10
staging
file
ABCDoor appclient Python archive
IIM-T024
11
payload
file
ABCDoor Python backdoor
Relations
directed infrastructure edgese1referencese2
likely
e2downloade3
likely
e3dropse4
confirmed
e3dropse5
confirmed
e4referencese5
confirmed
e4executee6
confirmed
e6connecte7
confirmed
e6dropse8
confirmed
e8downloade9
confirmed
e9downloade10
confirmed
e10executee11
confirmed
Entities & evidence
observable inventory| ID | Type | Value | Source / evidence |
|---|---|---|---|
e1 |
file | tax-themed phishing email attachment or lure PDF |
Kaspersky reports delivery as email attachment or via a PDF containing a link to an attacker-controlled website. |
e2 |
url | attacker-controlled external download website |
Kaspersky describes archive delivery via external attacker-controlled websites linked from PDF attachments. |
e3 |
file | tax-related malicious archive |
Kaspersky reports that the majority of loader samples were contained within tax-related archives. |
e4 |
file | Silver Fox RustSL loader executable mimicking a document |
Kaspersky describes a customized RustSL loader used by Silver Fox in this campaign. |
e5 |
file | encrypted RustSL payload file disguised with benign extension |
Kaspersky reports payloads placed in the same archive as the loader and disguised with extensions such as PNG, HTM, MD, LOG, XLSX, ICO, CFG, MAP, XML or OLD. |
e6 |
file | ValleyRAT Login module / Winos 4.0 payload |
Kaspersky describes the decrypted payload leading to the ValleyRAT Login module. |
e7 |
ip | 207.56.138.28 |
Kaspersky shows ValleyRAT configuration containing p1:207.56.138[.]28 and port 6666. |
e8 |
file | custom ValleyRAT module 保86.dll / 保86.dll_bin |
Kaspersky describes two previously unseen ValleyRAT modules responsible for downloading and launching ABCDoor. |
e9 |
url | http://154.82.81.205/YD20251001143052.zip |
Kaspersky reports a 52.5 MB archive downloaded from this hardcoded URL, with the archive updated multiple times while the filename remained stable. |
e10 |
file | ABCDoor appclient Python archive |
Kaspersky describes the downloaded archive as containing the ABCDoor Python backdoor package launched as appclient. |
e11 |
file | ABCDoor Python backdoor |
Kaspersky names ABCDoor as a previously undocumented Python-based backdoor delivered by Silver Fox. |
ATT&CK annotations
optional complementary mappingT1566.001Spearphishing Attachment
Tax-themed email attachments are described in the public report.
T1566.002Spearphishing Link
Alternative delivery via PDF attachment containing a link to an external attacker-controlled website.
T1204.002User Execution: Malicious File
User interaction is required to open the delivered archive/executable chain.
T1027Obfuscated Files or Information
Encrypted payload container and disguised sidecar files.
Raw IIM JSON canonical body from MANTIS expand
{
"iim_version": "1.1",
"chain_id": "silver-fox-abcdoor-2026-04-30",
"title": "Silver Fox tax-themed RustSL to ValleyRAT and ABCDoor chain",
"description": "Observed Silver Fox campaign using tax-themed delivery to distribute a customized RustSL loader, ValleyRAT, custom ValleyRAT modules and the ABCDoor Python backdoor. The chain models only infrastructure and delivery composition aspects; endpoint persistence and execution details are kept in ATT&CK annotations or notes.",
"actor_id": "Silver Fox",
"observed_at": "2025-12-01T00:00:00Z",
"confidence": "likely",
"x_references": [
{
"title": "Silver Fox uses the new ABCDoor backdoor to target organizations in Russia and India",
"publisher": "Kaspersky Securelist",
"published": "2026-04-30",
"url": "https://securelist.com/silver-fox-tax-notification-campaign/119575/"
}
],
"entities": [
{
"id": "e1",
"type": "file",
"value": "tax-themed phishing email attachment or lure PDF",
"evidence": [
"Kaspersky reports delivery as email attachment or via a PDF containing a link to an attacker-controlled website."
]
},
{
"id": "e2",
"type": "url",
"value": "attacker-controlled external download website",
"evidence": [
"Kaspersky describes archive delivery via external attacker-controlled websites linked from PDF attachments."
]
},
{
"id": "e3",
"type": "file",
"value": "tax-related malicious archive",
"evidence": [
"Kaspersky reports that the majority of loader samples were contained within tax-related archives."
]
},
{
"id": "e4",
"type": "file",
"value": "Silver Fox RustSL loader executable mimicking a document",
"evidence": [
"Kaspersky describes a customized RustSL loader used by Silver Fox in this campaign."
]
},
{
"id": "e5",
"type": "file",
"value": "encrypted RustSL payload file disguised with benign extension",
"evidence": [
"Kaspersky reports payloads placed in the same archive as the loader and disguised with extensions such as PNG, HTM, MD, LOG, XLSX, ICO, CFG, MAP, XML or OLD."
]
},
{
"id": "e6",
"type": "file",
"value": "ValleyRAT Login module / Winos 4.0 payload",
"evidence": [
"Kaspersky describes the decrypted payload leading to the ValleyRAT Login module."
]
},
{
"id": "e7",
"type": "ip",
"value": "207.56.138.28",
"evidence": [
"Kaspersky shows ValleyRAT configuration containing p1:207.56.138[.]28 and port 6666."
]
},
{
"id": "e8",
"type": "file",
"value": "custom ValleyRAT module 保86.dll / 保86.dll_bin",
"evidence": [
"Kaspersky describes two previously unseen ValleyRAT modules responsible for downloading and launching ABCDoor."
]
},
{
"id": "e9",
"type": "url",
"value": "http://154.82.81.205/YD20251001143052.zip",
"evidence": [
"Kaspersky reports a 52.5 MB archive downloaded from this hardcoded URL, with the archive updated multiple times while the filename remained stable."
]
},
{
"id": "e10",
"type": "file",
"value": "ABCDoor appclient Python archive",
"evidence": [
"Kaspersky describes the downloaded archive as containing the ABCDoor Python backdoor package launched as appclient."
]
},
{
"id": "e11",
"type": "file",
"value": "ABCDoor Python backdoor",
"evidence": [
"Kaspersky names ABCDoor as a previously undocumented Python-based backdoor delivered by Silver Fox."
]
}
],
"chain": [
{
"entity_id": "e1",
"role": "entry",
"techniques": [],
"role_confidence": "likely",
"technique_confidence": "confirmed",
"review_notes": "The exact sender address and concrete lure file name are not modeled because the public report describes the delivery class, not a single canonical artifact."
},
{
"entity_id": "e2",
"role": "redirector",
"techniques": [],
"role_confidence": "likely",
"technique_confidence": "confirmed",
"needs_review": true,
"review_notes": "Only applicable to the PDF-link delivery variant. The email-attachment variant can skip this position."
},
{
"entity_id": "e3",
"role": "staging",
"techniques": [
"IIM-T024"
],
"role_confidence": "confirmed",
"technique_confidence": "confirmed"
},
{
"entity_id": "e4",
"role": "staging",
"techniques": [
"IIM-T019"
],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"review_notes": "The geofencing check is implemented in the loader/client side, but it controls whether the delivery chain continues. This is modeled as gating because the campaign flow is region-restricted before later payload retrieval."
},
{
"entity_id": "e5",
"role": "staging",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"review_notes": "Disguised encrypted payload container. No existing IIM v1.0 technique exactly captures disguised sidecar payload files; do not invent a fake IIM-T ID."
},
{
"entity_id": "e6",
"role": "payload",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed"
},
{
"entity_id": "e7",
"role": "c2",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"review_notes": "Known ValleyRAT C2 IP from the decoded configuration."
},
{
"entity_id": "e8",
"role": "payload",
"techniques": [
"IIM-T019"
],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"review_notes": "The custom module repeats the geolocation check before attempting ABCDoor archive retrieval."
},
{
"entity_id": "e9",
"role": "staging",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"review_notes": "Stable hardcoded URL serving mutable archive content. This is a strong candidate for a future composition or hosting technique, but no current IIM-T### maps cleanly."
},
{
"entity_id": "e10",
"role": "staging",
"techniques": [
"IIM-T024"
],
"role_confidence": "confirmed",
"technique_confidence": "confirmed"
},
{
"entity_id": "e11",
"role": "payload",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed"
}
],
"relations": [
{
"from": "e1",
"to": "e2",
"type": "references",
"sequence_order": 1,
"confidence": "likely"
},
{
"from": "e2",
"to": "e3",
"type": "download",
"sequence_order": 2,
"confidence": "likely"
},
{
"from": "e3",
"to": "e4",
"type": "drops",
"sequence_order": 3,
"confidence": "confirmed"
},
{
"from": "e3",
"to": "e5",
"type": "drops",
"sequence_order": 4,
"confidence": "confirmed"
},
{
"from": "e4",
"to": "e5",
"type": "references",
"sequence_order": 5,
"confidence": "confirmed"
},
{
"from": "e4",
"to": "e6",
"type": "execute",
"sequence_order": 6,
"confidence": "confirmed"
},
{
"from": "e6",
"to": "e7",
"type": "connect",
"sequence_order": 7,
"confidence": "confirmed"
},
{
"from": "e6",
"to": "e8",
"type": "drops",
"sequence_order": 8,
"confidence": "confirmed"
},
{
"from": "e8",
"to": "e9",
"type": "download",
"sequence_order": 9,
"confidence": "confirmed"
},
{
"from": "e9",
"to": "e10",
"type": "download",
"sequence_order": 10,
"confidence": "confirmed"
},
{
"from": "e10",
"to": "e11",
"type": "execute",
"sequence_order": 11,
"confidence": "confirmed"
}
],
"attack_annotations": [
{
"technique_id": "T1566.001",
"name": "Spearphishing Attachment",
"tactic": "Initial Access",
"comment": "Tax-themed email attachments are described in the public report."
},
{
"technique_id": "T1566.002",
"name": "Spearphishing Link",
"tactic": "Initial Access",
"comment": "Alternative delivery via PDF attachment containing a link to an external attacker-controlled website."
},
{
"technique_id": "T1204.002",
"name": "User Execution: Malicious File",
"tactic": "Execution",
"comment": "User interaction is required to open the delivered archive/executable chain."
},
{
"technique_id": "T1027",
"name": "Obfuscated Files or Information",
"tactic": "Defense Evasion",
"comment": "Encrypted payload container and disguised sidecar files."
}
],
"x_candidate_iim_techniques": [
{
"name": "Mutable Payload Behind Stable Staging URL",
"category": "composition",
"reason": "Kaspersky reports that YD20251001143052.zip was updated multiple times while staying on the same host and filename. This is infrastructure behavior, not endpoint behavior."
},
{
"name": "Disguised Sidecar Payload Container",
"category": "composition",
"reason": "Encrypted payload placed next to the loader and disguised as benign-looking files. This is delivery composition, but no exact v1.0 technique exists."
}
]
}