Cybersecurity firm Kaspersky has identified a series of phishing attacks worldwide, attributing them to the SilverFox threat group. The attackers posed as tax-related entities, with the campaign now utilizing a Python backdoor named ABCDoor. The initiative commenced in December 2025 in India, mimicking official notices from the Income Tax Department. Subsequently, the same group targeted Russia in January and expanded their attacks to countries like Indonesia and South Africa.
The campaign involved over 1,600 malicious emails sent between January and February, primarily targeting firms in various sectors such as industrial, consulting, trade, and transportation. Recipients were prompted to download an archive labeled as a “list of tax violations.” Upon download, a modified Rust-based loader was activated, leading to the deployment of the ValleyRAT backdoor. This backdoor introduced a new plugin to victim devices, serving as a loader for a previously unknown Python-based backdoor.
Through this attack, perpetrators gained the ability to upload or download files, as well as remotely control infected systems by streaming multiple victim screens simultaneously in near real-time. Kaspersky advised smartphone users to enhance their digital literacy and recommended organizations to bolster email defenses by automatically blocking suspicious emails, scanning password-protected archives, and implementing CDR technology.
A recent report highlighted that credential theft and identity compromise have become major entry points for large-scale cyber attacks on Indian IT firms. The report noted a staggering 265.52 million detections across over 8 million endpoints, emphasizing the increasing weaponization of stolen login credentials on the dark web. Trojans accounted for nearly 43% of detections, serving as the primary payload for harvesting login information. Attackers leverage phishing, malware, and compromised applications to acquire credentials, which are then traded on dark-web platforms.
The report also underscored the vulnerability of Indian IT firms due to their extensive use of cloud platforms, remote access systems, and third-party integrations. A single compromised credential can potentially grant access to multiple environments, significantly amplifying the impact of cyber threats.
