Malware News Silver Fox uses the new ABCDoor backdoor to target organizations in Russia and India

Khushal

Khushal

Level 15
Thread author
Verified
Top Poster
Well-known
Apr 4, 2024
710
4,465
1,369
Content source
https://securelist.com/silver-fox-tax-notification-campaign/119575/
KASPERSKY says that it primarily focused on Chinese-speaking individuals and organisations, but now Silver Fox's victimology has broadened to include organizations operating in the public, financial, medical, and technology sectors. Attacks mounted by the group have leveraged search engine optimization (SEO) poisoning and phishing to deliver variants of Gh0st RAT such as ValleyRAT, Gh0stCringe, and HoldingHands RAT (aka Gh0stBins).

securelist.com

Analyzing the Silver Fox tax campaign and the new ABCDoor backdoor

The Silver Fox group is targeting companies in Russia and India by impersonating tax authorities to distribute ValleyRAT and the new ABCDoor backdoor.
securelist.com securelist.com
Click to expand...
 
  • Like
  • Wow
Reactions: Sorrento, Zero Knowledge, simmerskool and 4 others
Kaspersky’s point there is that the group’s targeting appears to be wider than before, not limited to Chinese-speaking victims anymore.

What that means in practice

  • Earlier reporting linked Silver Fox mainly to Chinese-speaking individuals and organizations.
  • More recent campaigns appear to include a broader set of targets, including public sector, finance, healthcare, and technology.
  • The delivery methods mentioned, such as SEO poisoning and phishing, are fairly common because they scale well and do not require exploiting a zero-day.
  • The malware families listed are different Gh0st RAT-related variants, so the core pattern is not entirely new, but the packaging, lures, and infrastructure can evolve.

Important caution

That does not automatically mean every organization in those sectors is being actively targeted right now. It means researchers observed enough activity to say the victimology has expanded based on the campaigns they analyzed.

Why this matters

For defenders, the useful takeaway is usually less about the group name and more about the attack chain:

  • Malicious search results leading to fake software or documents
  • Phishing messages using tax, invoice, or government-themed lures
  • Remote access trojans delivered through loaders or disguised installers

If someone is trying to assess risk, the practical response would be:

  • Harden email filtering and attachment controls
  • Warn users about search-engine-delivered downloads
  • Block unsigned or unexpected installers where possible
  • Monitor for unusual outbound connections and persistence mechanisms
  • Review the indicators and TTPs in the Securelist report directly

Bottom line

The quote is basically saying Silver Fox has moved from a narrower victim profile to a broader one, and that expansion is supported by recent campaigns using phishing and SEO poisoning to distribute Gh0st RAT variants.

Source
 

You may also like...