China-linked group is sending 1,600 fake tax-audit emails to Indian and Russian companies, then dropping a brand-new backdoor called ABCDoor

Kaspersky tracked a China-based group called Silver Fox running a tax-themed phishing campaign against organizations in India, Russia, Indonesia, Japan, and South Africa. Phishing emails impersonate the Indian Income Tax Department or Russian tax service with subjects about audits or 'lists of tax violations.' Inside the attached archive sits a modified Rust loader that pulls down a known backdoor called ValleyRAT, plus a brand-new Python-based backdoor called ABCDoor. ABCDoor handles screen recording, keystroke control, clipboard theft, and file operations. Kaspersky logged 1,600+ phishing emails between January and February 2026 across industrial, consulting, retail, and transportation sectors.

Check

Search proxy and DNS logs for connections to abc.haijing88.com since December 2025. Hunt endpoints for pythonw.exe processes initiating outbound HTTPS to unfamiliar destinations.

Affected

Organizations in India, Russia, Indonesia, Japan, and South Africa, particularly in industrial, consulting, retail, and transportation sectors. Finance and accounting staff who routinely receive tax correspondence are the highest-risk role. Multinationals with operations in any of these regions face the same risk through local subsidiaries.

Fix

Block abc.haijing88.com and related Silver Fox infrastructure at the DNS resolver. Train finance staff that real tax correspondence never arrives as a ZIP or RAR archive of 'violations' to download. Quarantine any host running pythonw.exe with unexpected outbound HTTPS, and remove FFmpeg installations not authorized by IT. Rotate credentials on suspected compromised hosts and reimage.