Silver Fox tax-themed phishing campaign delivering ABCDoor and ValleyRAT
Campaign
Summary
Hide ▲
Show ▼
Silver Fox is running a tax-themed phishing campaign that now targets India with Income Tax Department lures and delivers ValleyRAT (aka Winos 4.0). The campaign uses phishing emails, DLL hijacking, a ZIP/NSIS installer chain, and process injection into `explorer.exe` to install the malware and enable keylogging, credential harvesting, and defense evasion. The group is China-based and also uses related lure sites and installer infrastructure to track downloads and distribute ValleyRAT. The campaign matters because it shows a sustained, multi-stage delivery chain built for persistence and low-noise access.
Related Happenings
KongTuke ClickFix and Teams access-seeking campaign
Campaign
H score33
First: 25.06.2026 11:54
Last: 25.06.2026 11:54
Sources 1
About this happening:
The **KongTuke** operation is using **ClickFix** lures and **Microsoft Teams** messages to widen access-seeking attacks against **multiple organizations**, increasing the risk of...
KongTuke ClickFix and Teams access-seeking campaign
CampaignAbout this happening: The **KongTuke** operation is using **ClickFix** lures and **Microsoft Teams** messages to widen access-seeking attacks against **multiple organizations**, increasing the risk of...
TA4922 expanded European phishing-and-malware campaign
Campaign
H score40
First: 04.06.2026 00:45
Last: 04.06.2026 00:45
Sources 1
About this happening:
**TA4922** is a **China-linked** cybercrime campaign that has expanded from **East Asia** into **Europe and Africa**, including **the U.K., Germany, Italy, and South Africa**. The...
TA4922 expanded European phishing-and-malware campaign
CampaignAbout this happening: **TA4922** is a **China-linked** cybercrime campaign that has expanded from **East Asia** into **Europe and Africa**, including **the U.K., Germany, Italy, and South Africa**. The...
Atlas RAT and related loaders deployed for remote access and credential theft
Malware Activity
H score33
First: 04.06.2026 00:45
Last: 04.06.2026 00:45
Sources 1
About this happening:
**TA4922**, a **China-linked** and likely **financially motivated** malware activity, has expanded beyond **East Asia** into **Europe** and **Africa**. The group uses **Atlas RAT*...
Atlas RAT and related loaders deployed for remote access and credential theft
Malware ActivityAbout this happening: **TA4922**, a **China-linked** and likely **financially motivated** malware activity, has expanded beyond **East Asia** into **Europe** and **Africa**. The group uses **Atlas RAT*...
WeedHack YouTube and SEO poisoning campaign targeting Minecraft players
Campaign
H score73
First: 03.06.2026 00:54
Last: 03.06.2026 00:54
Sources 1
About this happening:
**WeedHack** is a **Minecraft-focused malware-as-a-service (MaaS)** campaign that uses **YouTube** and **SEO poisoning** to push malicious **mods, clients, cheats, and utilities**...
WeedHack YouTube and SEO poisoning campaign targeting Minecraft players
CampaignAbout this happening: **WeedHack** is a **Minecraft-focused malware-as-a-service (MaaS)** campaign that uses **YouTube** and **SEO poisoning** to push malicious **mods, clients, cheats, and utilities**...
Gamaredon WinRAR malware chain using GammaPhish, GammaLoad, GammaWorm, and GammaSteel
Malware Activity
H score49
First: 02.06.2026 21:21
Last: 02.06.2026 21:21
Sources 1
About this happening:
**Gamaredon** is a **Russian APT** that expanded its **2025** activity against **Ukraine** with **35 spear-phishing campaigns** aimed at **government and military institutions**....
Gamaredon WinRAR malware chain using GammaPhish, GammaLoad, GammaWorm, and GammaSteel
Malware ActivityAbout this happening: **Gamaredon** is a **Russian APT** that expanded its **2025** activity against **Ukraine** with **35 spear-phishing campaigns** aimed at **government and military institutions**....
Latest development: 09.06.2026 15:26
Trend Micro attributes ongoing exploitation of WinRAR CVE-2025-8088 against Ukrainian organizations to Earth Dahu (Gamaredon) and SHADOW-EARTH-066 (UAC-0226). The campaigns use crafted RAR archives with hidden ADS payloads, a decoy PDF, a Startup-folder LNK, and a PowerShell chain via cmd.exe to launch GIFTEDCROOK (result.dll), while Earth Dahu's HTA-to-VBScript chain delivers GammaPhish, GammaLoad, and GammaSteel. The exfiltration path also shifts from Telegram to dedicated C2 servers, and Earth Dahu's use of the flaw is assessed to have remained active through at least April 10, 2026.
Timeline
-
04.05.2026 14:57 3 articles · 2mo ago
Silver Fox tax-phishing campaign delivers ABCDoor and ValleyRAT
Initial DisclosureSilver Fox is linked to a tax-themed phishing campaign targeting organizations in Russia and India, using fake Income Tax Department of India notices and archive lures to deliver a modified RustSL loader, ValleyRAT (aka Winos 4.0), and the previously undocumented Python-based backdoor ABCDoor; the operation spans December 2025 to early February 2026, with more than 1,600 phishing emails flagged and the highest attack volume seen in India, Russia, and Indonesia across industrial, consulting, retail, and transportation organizations.
Show sources
- Silver Fox Deploys ABCDoor Malware via Tax-Themed Phishing in India and Russia — thehackernews.com — 04.05.2026 14:57
- Silver Fox Deploys ABCDoor Malware via Tax-Themed Phishing in India and Russia — thehackernews.com — 04.05.2026 14:57
- Silver Fox Targets Indian Users With Tax-Themed Emails Delivering ValleyRAT Malware — thehackernews.com — 30.12.2025 12:46