EXECUTIVE SUMMARY
The Silver Fox threat group has been attributed to a wave of malicious emails designed to look like official correspondence from the Indian and Russian tax services. The campaigns, which impacted organizations across the industrial, consulting, retail, and transportation sectors, used phishing emails to convince victims to download an archive containing a modified Rust-based loader pulled from a public repository.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
The Silver Fox threat group has been attributed to a wave of malicious emails designed to look like official correspondence from the Indian and Russian tax services. The campaigns, which impacted organizations across the industrial, consulting, retail, and transportation sectors, used phishing emails to convince victims to download an archive containing a modified Rust-based loader pulled from a public repository.[emaillocker id="1283"]
The loader would then download and execute the well-known ValleyRAT backdoor. In a new development, the attackers have begun delivering a new Python-based backdoor, dubbed ABCDoor, which has been part of the Silver Fox arsenal since at least late 2024.
The Silver Fox group's use of a multi-stage approach to payload delivery and a segmented infrastructure, with different addresses and domains for various stages of the attack, makes it difficult to detect and block the entire attack chain. Organizations should adopt a comprehensive approach to securing their infrastructure, including implementing robust security measures such as patching, monitoring, backups, and endpoint protection. Kaspersky security solutions have successfully detected malicious activity associated with the attacks described in this post.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1566.001 | Phishing | Spearphishing Attachment |
| Execution | T1059.003 | Command and Scripting Interpreter | Windows Command Shell |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Defense Evasion | T1027.002 | Obfuscated Files or Information | Software Packing |
| Defense Evasion | T1497.001 | Virtualization/Sandbox Evasion | System Checks |
| Defense Evasion | T1112 | Modify Registry | — |
| Command and Control | T1105 | Ingress Tool Transfer | — |
REFERENCES:
reports contain further technical details:
https://securelist.com/silver-fox-tax-notification-campaign/119575/