The APT campaign involved disguising malicious files as documents related to tax violations. Upon infection, attackers could gain remote access to affected devices and exfiltrate sensitive organizational data.
Kaspersky Global Research & Analysis Team (GReAT) analyzed several new waves of cyberattacks conducted by the SilverFox group, observed since December 2025. The campaign targeted companies in India, Indonesia, South Africa and Russia across industrial, consulting, trade and transportation sectors.
The phishing emails were crafted to appear as official tax audit notifications or to prompt recipients to download an archive purportedly containing a “list of tax violations.” By leveraging the perceived authority and urgency of communications from tax agencies, the threat actor aimed to persuade victims to download the file and trigger the attack chain. Between January and February alone, more than 1,600 malicious emails were recorded.
The threat actor expanded its toolkit by deploying a new Python-based backdoor, dubbed as ABCDoor, via the previously known ValleyRAT backdoor used in earlier attacks. ABCDoor was present in the APT arsenal from the end of 2024 and was used in attacks throughout 2025. It enables attackers to upload and download files, and also to remotely control infected systems by streaming multiple victim screens simultaneously in near real time, accessing the clipboard, and updating itself.
“Social engineering played a key role in this campaign. The group exploited users’ tendency to trust communications from official agencies, such as tax authorities. At the same time, SilverFox employed a multi-stage delivery approach for the primary malicious payload and utilized multiple email addresses and domains. This increases the overall risk posed by such attacks, as it helps minimize the likelihood of detection and disruption across the attack chain,” says Anton Kargin, senior security researcher in Kaspersky GReAT.
Previously, SilverFox targeted enterprises in Asia in sectors including telecommunications, energy, logistics and finance. Read the full report on Securelist.com to learn more about the APT new campaign and its toolset.
To stay safe Kaspersky recommends that organizations: Regularly improve employees’ level of digital literacy.
This can be achieved through specialized courses or training programs, such as the Kaspersky Automated Security Awareness Platform. Use a solution that can automatically block suspicious emails, scan password-protected archives and apply CDR technology, such as Kaspersky Security for Mail Server.
Latest News
M K Stalin tenders resignation as Tamil Nadu chief minister
People’s Bank wins ‘Sri Lanka’s Best Asian Bank 2026’ award
Central Bank, Australia partner to boost digital financial literacy for MSMEs
Rising rubber prices to lift revenues for top plantation firms
China overtakes India as Sri Lanka's top trading partner
Browns Beach Hotels' exit offer launched
Kaspersky identified a new SilverFox campaign targeting companies
Sri Lanka and Australia partner FAO on AUD 2mn to restore vegetable livelihoods
Pakistan opens Iran land corridors
‘Gee Sambhavana’ musical show launched featuring veteran artistes
